Posts

HTB Walkthrough - Included

Information Gathering

Scanned all TCP ports:

# save target IP as local variable
export ip='10.129.95.185'

#initial scan
rustscan -a $ip -- -sVC --open -oN initial

# scan results
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.129.95.185/?file=home.php

# udp scan results
<SUMMARY> Revealed 69/udp tftp was open </SUMMARY>

Steps 2 Pwn

read more
Posts

HTB Walkthrough - Unified

Information Gathering

Scanned all TCP ports:

# save target IP as machine variable
export ip='10.129.54.95'

#initial scan
rustscan -a $ip -- -sVC --open -oN initial
#scan results
PORT     STATE SERVICE         REASON         VERSION
22/tcp   open  ssh             syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
<SNIP>
6789/tcp open  ibm-db2-admin?  syn-ack ttl 63
8080/tcp open  http-proxy      syn-ack ttl 63
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.129.54.95:8443/manage
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Tue, 14 Jan 2025 04:33:00 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404
|     <SNIP>
|     Location: http://localhost:8080/manage
|     </SNIP>
|_http-open-proxy: Proxy might be redirecting requests
8443/tcp open  ssl/nagios-nsca syn-ack ttl 63 Nagios NSCA
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/localityName=New York/organizationalUnitName=UniFi
| Subject Alternative Name: DNS:UniFi
| Issuer: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/localityName=New York/organizationalUnitName=UniFi
<SNIP>
| http-title: UniFi Network
|_Requested resource was /manage/account/login?redirect=%2Fmanage
8843/tcp open  ssl/unknown     syn-ack ttl 63
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Tue, 14 Jan 2025 04:33:25 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
<SNIP>
|_    Request</h1></body></html>
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/localityName=New York/organizationalUnitName=UniFi
| Subject Alternative Name: DNS:UniFi
| Issuer: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/localityName=New York/organizationalUnitName=UniFi
<SNIP>
8880/tcp open  cddbp-alt?      syn-ack ttl 63
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Tue, 14 Jan 2025 04:33:01 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title<SNIP>

Steps 2 Pwn

read more
Posts

HTB Walkthrough - Vaccine

Information Gathering

Scanned all TCP ports:

# save target IP as machine variable
export ip='10.129.93.161'

#initial scan
rustscan -a $ip -- -sV --open -oN initial

#nmap results
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Steps 2 Pwn

read more
Posts

HTB Walkthrough - SolidState

Information Gathering

Scanned all TCP ports:

# connect to vpn
sudo openvpn htb_labs.ovpn

# save target IP as machine variable
export IP='10.10.10.51'

#initial nmap scan
nmap -sVC -p- --open -T4 -oN nmap/initial.nmap $IP

#nmap results
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp    JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.24 [10.10.14.24])
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp  open  pop3    JAMES pop3d 2.3.2
119/tcp  open  nntp    JAMES nntpd (posting ok)
4555/tcp open  rsip?
| fingerprint-strings:
|   GenericLines:
|     JAMES Remote Administration Tool 2.3.2
|     Please enter your login and password
|     Login id:
|     Password:
|     Login failed for
|_    Login id:

Enumeration

TCP Port 25 - SMTP

read more
Posts

HTB Walkthrough - CozyHosting

Information Gathering

Scanned all TCP ports:

# save target IP as machine variable
export IP='10.10.11.230'

#initial nmap scan
nmap -Pn -sVC -v -p- --open -oN nmap/initial.nmap $IP

#nmap results
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_  256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

TCP Port 80 - HTTP

read more
Posts

HTB Walkthrough - Brainfxck

Resolution summary

  • Identified open ports and services using nmap
  • Explored the HTTPS website, found alternate hostnames, and extracted an email address from the SSL certificate
  • Conducted a wpscan to identify WordPress users and vulnerabilities
  • Exploited a Privilege Escalation vulnerability giving us access to the WordPress admin dashboard
  • Found SMTP credentials in the Easy WP SMTP Settings and logged into the users mailbox
  • The mailbox contained credentials to the Super Secret Forum which I then gained access to
  • The forum had an encrypted thread that was deciphered and the location of an id_rsa file was revealed
  • The id_rsa file passphrase was cracked an initial access was gained
  • Retrieved the user.txt file and located an RSA encryption script called encrypt.sage that was encrypting the contents of the root.txt file
  • Used a Python script to decrypt the RSA encrypted content, and then converted and decoded the content to get the contents of the root.txt file.
read more