Pages

Search

htb

HTB Curling

$ nmap -T4 -A -p- 10.10.10.150 $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u http://10.10.10.150 -e If we access to http://10.10.10.150/administrator/, we’ll find a Joomla login form. Accessing to http://10.10.10.150, Based on the published post there are these users: Super User Floris Watching on the source code, there is a suspicious secret.txt file somewhere. http://10.10.10.150/secret.txt This string seems to be encoded. Searching for: «linux decode string», Google give us the suggestion of

HTB Postman

$ nmap -A -p- -T4 10.10.10.160 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) $ gobuster dir -u http://10.10.10.160 -w Access to http://10.10.10.160 Access to http://10.10.10.160:10000 Access to https://10.10.10.160:1000 Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and

HTB Writeup

$ nmap -A -T4 -p- -sV 10.10.10.138 Although nmap says port 80 is open, it also appears to be as tcpwrapped.What does it mean? Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed,

HTB Irked

$ nmap -A -T4 -p- 10.10.10.117 Access to http://10.10.10.117 According to Nmap’s results, we have open these ports related to UrealIRCd: 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb) As we have an IRC in this box let’s start trying to connect to it. $ sudo irssi 10.10.10.117 65534 According to this, we have a UnrealIRC version 3.2.8.1 $ searchsploit unrealirc Exploiting UnrealIRC

HTB OpenAdmin

Enumeration $ nmap -A -T4 -p- 10.10.10.171 $ gobuster dir -u 10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e Access to http://10.10.10.171 Access to http://10.10.10.171/music There is a login link. Click and you’ll be redirected to http://10.10.10.171/ona Based on this screenshot, we have an OpenNetAdmin (v18.1.1) Access to http://10.10.10.171/sierra Access to http://10.10.10.171/artwork Vulnerability analysis $ searchsploit opennetadmin $ searchsploit -x 47691 The -d option in Curl means data. -d, –data: (HTTP MQTT) Sends the specified data in a POST

HTB Friendzone

$ sudo nmap -A -T4 -p- 10.10.10.123 $ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.10.123/ Access to http://10.10.10.123 Acess to https://10.10.10.123/ We discovered that SSL cert is using a common name as friendzone.red (it is a vhost).So we can access then to https://friendzone.red/ (after this host was added to the /etc/host file) We can do a zone transfer for that domain I saw earlier on the main page and get the

HTB Access

$ nmap -A -T4 -p- 10.10.10.98 Open ports detected:• 21/tcp open ftp Microsoft ftpd• 23/tcp open telnet?• 80/tcp open http Microsoft IIS httpd 7.5 $ ftp 10.10.10.98 ftp> dir ftp> cd Backupsftp> dir ftp> get backup.mdb ftp> cd ..ftp> dir ftp> cd Engineerftp> dir ftp> get «Access Control.zip» Files haven’t been correctly downloaded.By default, ftp mode set for text files.We need to download again this files but this time using

HTB Active

$ sudo nmap -A -T4 -p- 10.10.10.100 Let’s enumerate SMB resources using SMBMap. $ smbmap -H 10.10.10.100 $ smbclient //10.10.10.100/Replication smb: > dir This share seems to be a copy of the SYSVOL’s. According to the information found in: Finding Passwords in SYSVOL & Exploiting Group Policy Preferences Attack Methods for Gaining Domain Admin Rights in Active Directory We need to find a file as groups.xml, scheduledtasks.xml and Services.xml where

HTB Sense

$ nmap -A -T4 -p- sense.htb $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e We need to skip SSL certificate verification using -k option. $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -k $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x .txt We’ve found 2 text documents. changelog.txt system-users.txt Company defaults?As we have a PfSense site, we can try with default Pfsense password (pfsense) Access to http://10.10.10.60 This

HTB Valentine

$ sudo nmap -T4 -A -p- 10.10.10.79 $ gobuster dir -u https://10.10.10.79 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k $ nikto -h 10.10.10.79 $ sudo nmap –script vuln -p 80 10.10.10.79 $ sudo nmap –script vuln -p 443 10.10.10.79 Based on these results, this box is Heartbleed vulnerable. https://github.com/sensepost/heartbleed-poc $ python heartbleed-poc.py 10.10.10.79 $ strings dump.bin Using https://www.base64decode.org/ aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==heartbleedbelievethehype Access to https://10.10.10.79/dev https://10.10.10.79/dev/notes.txt https://10.10.10.79/dev/hype_key This is hexadecimal encoding. If we use a hexa