HTB Legacy

$sudo nmap -A -T4 -p- Open ports detected: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Based on the detected ports, we have SMB here. $ msfconsole msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > options msf5 auxiliary(scanner/smb/smb_version) > run Which smb version do we have? Not sure yet… $nmap -p139 –script smb-protocols -Pn $nmap -p445 –script smb-protocols -Pn According to

HTB Lame

 $nmap -T4 -p- -A -Pn Open ports detected: 21/tcp  open  ftp vsftpd 2.3.4 22/tcp  open  ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))  $ftp No files are detected.  $ssh  $msfconsole Install Searchsploit $sudo apt update && sudo apt -y install exploitdb$searchsploit

HTB Starting Point – Base

$./ Ports detected:22/tcp open  ssh  OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open  http Apache httpd 2.4.29 ((Ubuntu)) $gobuster dir -u -w /usr/share/wordlists/dirb/big.txt Interesting items found: /_uploaded and /login Access to The login folder can be listed (Due to a misconfiguration of the webserver) Foothold Download all three files to analyze them. login.php.swp is a binary file. $ls -la $file login.php.swp As it is described, login.php.swp

HTB Starting Point – Guard

$./ Ssh port is open. Let’s try the last ssh user we obtained.   $ssh -i id_rsa daniel@ The SSH login gives us access to a restricted shell, where the commands like find, cat and python are disabled.  We are unable to read user.txt from this shell. Man command can be used to spawn a bash shell. Once the command opens the manual, we can enter the following command to spawn a

HTB Starting Point – Markup

 $./ Open ports: 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt Apache service is running. Let’s try to access the site. Access to In the previous machine, we found credentials stored in an SQL dump.  Let’s try to reuse them, to log into the application.  The

HTB Starting Point – Included

$./ Open ports detected:80/tcp open  http   Apache httpd 2.4.29 ((Ubuntu)) Access to: redirection to Use Owasp-Zap to scan this site: This machine is vulnerable to a File Inclusion Path Traversal attack. According to the application description: The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a

HTB Starting Point – Pathfinder

 $./ Open ports detected:  WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default.  Using the credentials we obtained in a previous machine; sandra:Password1234!, we can attempt to enumerate Active Directory. We can achieve this using BloodHound. There is a python bloodhound ingester, which can be found here.  We can attempt to enumerate Active Directory. Try using old machine credentials… BloodHound is a single

HTB Starting point – Shield

$ ./ Port 80 is open (Microsoft IIS running) Let’s try to see what’s inside… $ gobuster dir -u /usr/share/wordlists/dirb/common.txt There is a WordPress instance. Access to: Following the last machine’s general rule (let’s try old credentials): admin/P@s5w0rd! will work fine. Access to the WordPress Control Panel. Let’s use a wp_admin_shell_upload Metasploit exploit to obtain a functional shell. $ msfconsolemsf5 > use exploit/unix/webapp/wp_admin_shell_upload What do we need to use this exploit?

HTB Starting Point – Vaccine

kali@kali:~/ctf-tools$ ./ Remember we found a ftp user in the last machine  Try ftpuser / mc@F1l3ZilL4 and we’ll access to this ftp kali@kali:~/ctf-tools$ ftp ftp> dir ftp> get This file is password protected kali@kali:~/htb/vaccine$ sudo zip2john > hash zip2john processes input ZIP files into a format to be used with John the Ripper kali@kali:~/htb/vaccine$ sudo john hash –fork=4 –wordlist=»/opt/rockyou.txt» Different files are found inside the zip file. Open

HTB Starting point – Oopsie

ruben@kali:~/htb/oopsie$ sudo nmap -T4 -p- -A We have port 80 open with apache. ruben@kali:~/htb/oopsie$ sudo nikto -h According to this result, we have a login site: /cdn-cgi/login/ ruben@kali:~/htb/oopsie$ gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e There is an upload directory. Access to: Test credentials from the last machine: admin/MEGACORP_4dm1n!! The upload section is restricted to super admin. From the accounts section using BurpSuite: We have a cookie with