HTB Starting Point – Pathfinder

 $./ Open ports detected:  WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default.  Using the credentials we obtained in a previous machine; sandra:Password1234!, we can attempt to enumerate Active Directory. We can achieve this using BloodHound. There is a python bloodhound ingester, which can be found here.  We can attempt to enumerate Active Directory. Try using old machine credentials… BloodHound is a single

HTB Starting point – Shield

$ ./ Port 80 is open (Microsoft IIS running) Let’s try to see what’s inside… $ gobuster dir -u /usr/share/wordlists/dirb/common.txt There is a WordPress instance. Access to: Following the last machine’s general rule (let’s try old credentials): admin/P@s5w0rd! will work fine. Access to the WordPress Control Panel. Let’s use a wp_admin_shell_upload Metasploit exploit to obtain a functional shell. $ msfconsolemsf5 > use exploit/unix/webapp/wp_admin_shell_upload What do we need to use this exploit?

HTB Starting Point – Vaccine

kali@kali:~/ctf-tools$ ./ Remember we found a ftp user in the last machine  Try ftpuser / mc@F1l3ZilL4 and we’ll access to this ftp kali@kali:~/ctf-tools$ ftp ftp> dir ftp> get This file is password protected kali@kali:~/htb/vaccine$ sudo zip2john > hash zip2john processes input ZIP files into a format to be used with John the Ripper kali@kali:~/htb/vaccine$ sudo john hash –fork=4 –wordlist=»/opt/rockyou.txt» Different files are found inside the zip file. Open

HTB Starting point – Oopsie

ruben@kali:~/htb/oopsie$ sudo nmap -T4 -p- -A We have port 80 open with apache. ruben@kali:~/htb/oopsie$ sudo nikto -h According to this result, we have a login site: /cdn-cgi/login/ ruben@kali:~/htb/oopsie$ gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e There is an upload directory. Access to: Test credentials from the last machine: admin/MEGACORP_4dm1n!! The upload section is restricted to super admin. From the accounts section using BurpSuite: We have a cookie with

HTB Starting Point – Archetype

kali@kali:~/htb/starting point$ ports=$(nmap -p- –min-rate=1000 -T4 | grep ^[0-9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//) kali@kali:~/htb/starting point$ echo $ports kali@kali:~/htb/starting point$  nmap -sC -sV -p$ports Ports 445 and 1433 are open -> file sharing (SMB)  i SQL Server. kali@kali:~/htb/starting point$ smbclient -N -L \\\\\\ kali@kali:~/htb/starting point$ smbclient -N \\\\\\backups dtsConfig file: ruben@kali:~/tools/impacket/examples$ ARCHETYPE/sql_svc@ -windows-auth Create a new file and save it