HTB Curling

$ nmap -T4 -A -p- $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u -e If we access to, we’ll find a Joomla login form. Accessing to, Based on the published post there are these users: Super User Floris Watching on the source code, there is a suspicious secret.txt file somewhere. This string seems to be encoded. Searching for: «linux decode string», Google give us the suggestion of

HTB Postman

$ nmap -A -p- -T4 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) $ gobuster dir -u -w Access to Access to Access to Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and

HTB Writeup

$ nmap -A -T4 -p- -sV Although nmap says port 80 is open, it also appears to be as tcpwrapped.What does it mean? Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed,

HTB Irked

$ nmap -A -T4 -p- Access to According to Nmap’s results, we have open these ports related to UrealIRCd: 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb) As we have an IRC in this box let’s start trying to connect to it. $ sudo irssi 65534 According to this, we have a UnrealIRC version $ searchsploit unrealirc Exploiting UnrealIRC

HTB OpenAdmin

Enumeration $ nmap -A -T4 -p- $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e Access to Access to There is a login link. Click and you’ll be redirected to Based on this screenshot, we have an OpenNetAdmin (v18.1.1) Access to Access to Vulnerability analysis $ searchsploit opennetadmin $ searchsploit -x 47691 The -d option in Curl means data. -d, –data: (HTTP MQTT) Sends the specified data in a POST

HTB Friendzone

$ sudo nmap -A -T4 -p- $ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u Access to Acess to We discovered that SSL cert is using a common name as (it is a vhost).So we can access then to (after this host was added to the /etc/host file) We can do a zone transfer for that domain I saw earlier on the main page and get the

HTB Access

$ nmap -A -T4 -p- Open ports detected:• 21/tcp open ftp Microsoft ftpd• 23/tcp open telnet?• 80/tcp open http Microsoft IIS httpd 7.5 $ ftp ftp> dir ftp> cd Backupsftp> dir ftp> get backup.mdb ftp> cd ..ftp> dir ftp> cd Engineerftp> dir ftp> get «Access» Files haven’t been correctly downloaded.By default, ftp mode set for text files.We need to download again this files but this time using

HTB Active

$ sudo nmap -A -T4 -p- Let’s enumerate SMB resources using SMBMap. $ smbmap -H $ smbclient // smb: > dir This share seems to be a copy of the SYSVOL’s. According to the information found in: Finding Passwords in SYSVOL & Exploiting Group Policy Preferences Attack Methods for Gaining Domain Admin Rights in Active Directory We need to find a file as groups.xml, scheduledtasks.xml and Services.xml where

HTB Sense

$ nmap -A -T4 -p- sense.htb $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e We need to skip SSL certificate verification using -k option. $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -k $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x .txt We’ve found 2 text documents. changelog.txt system-users.txt Company defaults?As we have a PfSense site, we can try with default Pfsense password (pfsense) Access to This

HTB Valentine

$ sudo nmap -T4 -A -p- $ gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k $ nikto -h $ sudo nmap –script vuln -p 80 $ sudo nmap –script vuln -p 443 Based on these results, this box is Heartbleed vulnerable. $ python $ strings dump.bin Using aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==heartbleedbelievethehype Access to This is hexadecimal encoding. If we use a hexa