Posts
read more
HTB Walkthrough - CozyHosting

Information Gathering
Scanned all TCP ports:
# save target IP as machine variable
export IP='10.10.11.230'
#initial nmap scan
nmap -Pn -sVC -v -p- --open -oN nmap/initial.nmap $IP
#nmap results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
TCP Port 80 - HTTP
Posts
read more
HTB Walkthrough - Brainfxck

Resolution summary
- Identified open ports and services using nmap
- Explored the HTTPS website, found alternate hostnames, and extracted an email address from the SSL certificate
- Conducted a wpscan to identify WordPress users and vulnerabilities
- Exploited a Privilege Escalation vulnerability giving us access to the WordPress admin dashboard
- Found SMTP credentials in the Easy WP SMTP Settings and logged into the users mailbox
- The mailbox contained credentials to the Super Secret Forum which I then gained access to
- The forum had an encrypted thread that was deciphered and the location of an id_rsa file was revealed
- The id_rsa file passphrase was cracked an initial access was gained
- Retrieved the user.txt file and located an RSA encryption script called encrypt.sage that was encrypting the contents of the root.txt file
- Used a Python script to decrypt the RSA encrypted content, and then converted and decoded the content to get the contents of the root.txt file.
Posts
read more
HTB Walkthrough - Devvortex

Information Gathering
Scanned all TCP ports:
#nmap scan
nmap -sV -sC -v -p- -T4 -oN nmap/initial $IP --open
#nmap results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
TCP Port 80 - HTTP
Posts
read more
HTB Walkthrough - Analytics

Information Gathering
Scanned all TCP ports:
#nmap scan
nmap -sV -sC -v -p- -oN nmap/initial $IP --open
#nmap results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://analytical.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
TCP Port 80 - HTTP
Posts
HTB Walkthrough - Sunday
Information Gathering Scanned all TCP ports:
#nmap scan nmap -sV -sC -v -p- -T4 -oN nmap/initial $IP --open #nmap results PORT STATE SERVICE VERSION 79/tcp open finger? |_finger: No one logged on\x0D | fingerprint-strings: | GenericLines: | No one logged on | GetRequest: | Login Name TTY Idle When Where | HTTP/1.0 ??? | HTTPOptions: | Login Name TTY Idle When Where | HTTP/1.0 ??? | OPTIONS ??? | Help: | Login Name TTY Idle When Where | HELP ?
read morePosts
read more
HTB Walkthrough - Poison

Resolution summary
- LFI on main webpage
- Reverse Shell via LFI
- Lateral escalation via weak encrypted password
- Privilege escalation via VNC running as root and password in zip file
- Root obtained and flags captured