HTB Starting Point – Guard

$./portScan.sh Ssh port is open. Let’s try the last ssh user we obtained.   $ssh -i id_rsa daniel@ The SSH login gives us access to a restricted shell, where the commands like find, cat and python are disabled.  We are unable to read user.txt from this shell. Man command can be used to spawn a bash shell. Once the command opens the manual, we can enter the following command to spawn a

HTB Starting Point – Markup

 $./ennumeration.sh Open ports: 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt Apache service is running. Let’s try to access the site. Access to In the previous machine, we found credentials stored in an SQL dump.  Let’s try to reuse them, to log into the application.  The

HTB Starting Point – Included

$./ennumeration.sh Open ports detected:80/tcp open  http   Apache httpd 2.4.29 ((Ubuntu)) Access to: redirection to Use Owasp-Zap to scan this site: This machine is vulnerable to a File Inclusion Path Traversal attack. According to the application description: The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a

HTB Starting Point – Pathfinder

 $./ennumeration.sh Open ports detected:  WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default.  Using the credentials we obtained in a previous machine; sandra:Password1234!, we can attempt to enumerate Active Directory. We can achieve this using BloodHound. There is a python bloodhound ingester, which can be found here.  We can attempt to enumerate Active Directory. Try using old machine credentials… BloodHound is a single

HTB Starting point – Shield

$ ./portScan.sh Port 80 is open (Microsoft IIS running) Let’s try to see what’s inside… $ gobuster dir -u /usr/share/wordlists/dirb/common.txt There is a WordPress instance. Access to: Following the last machine’s general rule (let’s try old credentials): admin/P@s5w0rd! will work fine. Access to the WordPress Control Panel. Let’s use a wp_admin_shell_upload Metasploit exploit to obtain a functional shell. $ msfconsolemsf5 > use exploit/unix/webapp/wp_admin_shell_upload What do we need to use this exploit?

HTB Starting Point – Vaccine

kali@kali:~/ctf-tools$ ./portScan.sh Remember we found a ftp user in the last machine  Try ftpuser / mc@F1l3ZilL4 and we’ll access to this ftp kali@kali:~/ctf-tools$ ftp ftp> dir ftp> get backup.zip This file is password protected kali@kali:~/htb/vaccine$ sudo zip2john backup.zip > hash zip2john processes input ZIP files into a format to be used with John the Ripper kali@kali:~/htb/vaccine$ sudo john hash –fork=4 –wordlist=»/opt/rockyou.txt» Different files are found inside the zip file. Open

HTB Starting point – Oopsie

ruben@kali:~/htb/oopsie$ sudo nmap -T4 -p- -A We have port 80 open with apache. ruben@kali:~/htb/oopsie$ sudo nikto -h According to this result, we have a login site: /cdn-cgi/login/ ruben@kali:~/htb/oopsie$ gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e There is an upload directory. Access to: Test credentials from the last machine: admin/MEGACORP_4dm1n!! The upload section is restricted to super admin. From the accounts section using BurpSuite: We have a cookie with

HTB Starting Point – Archetype

kali@kali:~/htb/starting point$ ports=$(nmap -p- –min-rate=1000 -T4 | grep ^[0-9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//) kali@kali:~/htb/starting point$ echo $ports kali@kali:~/htb/starting point$  nmap -sC -sV -p$ports Ports 445 and 1433 are open -> file sharing (SMB)  i SQL Server. kali@kali:~/htb/starting point$ smbclient -N -L \\\\\\ kali@kali:~/htb/starting point$ smbclient -N \\\\\\backups dtsConfig file: ruben@kali:~/tools/impacket/examples$ mssqlclient.py ARCHETYPE/sql_svc@ -windows-auth Create a new file and save it

IOLI Crackme 0x05 solution

Hello, This is another IOLI crackme challenge solution. root@kali:~/IOLI-crackme/bin-linux# r2 crackme0x05 pop 4 bytes from esp and jump there. Pop 4 bytes from esp and jump there. Apparently this levels so similar to the past one, so let’s try the same method with 16 as cmp operand. root@kali:~/IOLI-crackme/bin-linux# ./crackme0x05

IOLI Crackme 0x04 solution

Hello, This is another IOLI crackme challenge solution. root@kali:~/IOLI-crackme/bin-linux# r2 crackme0x04 Pay attention to these instructions: These section is where a number is compared to something and if true the password will be valid.Something is compared against 15 (0xf). Let’s find out which is the other operand. These section reminds me a loop. What is being compared to 15 is the parameter of the app, in other words the password.