Posts
read more
HTB Walkthrough - SolidState
Information Gathering
Scanned all TCP ports:
# connect to vpn
sudo openvpn htb_labs.ovpn
# save target IP as machine variable
export IP='10.10.10.51'
#initial nmap scan
nmap -sVC -p- --open -T4 -oN nmap/initial.nmap $IP
#nmap results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.24 [10.10.14.24])
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open rsip?
| fingerprint-strings:
| GenericLines:
| JAMES Remote Administration Tool 2.3.2
| Please enter your login and password
| Login id:
| Password:
| Login failed for
|_ Login id:
Enumeration
TCP Port 25 - SMTP
Posts
read more
HTB Walkthrough - CozyHosting
Information Gathering
Scanned all TCP ports:
# save target IP as machine variable
export IP='10.10.11.230'
#initial nmap scan
nmap -Pn -sVC -v -p- --open -oN nmap/initial.nmap $IP
#nmap results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
TCP Port 80 - HTTP
Posts
HTB Walkthrough - Brainfxck
Resolution summary
- Identified open ports and services using nmap
- Explored the HTTPS website, found alternate hostnames, and extracted an email address from the SSL certificate
- Conducted a wpscan to identify WordPress users and vulnerabilities
- Exploited a Privilege Escalation vulnerability giving us access to the WordPress admin dashboard
- Found SMTP credentials in the Easy WP SMTP Settings and logged into the users mailbox
- The mailbox contained credentials to the Super Secret Forum which I then gained access to
- The forum had an encrypted thread that was deciphered and the location of an id_rsa file was revealed
- The id_rsa file passphrase was cracked an initial access was gained
- Retrieved the user.txt file and located an RSA encryption script called encrypt.sage that was encrypting the contents of the root.txt file
- Used a Python script to decrypt the RSA encrypted content, and then converted and decoded the content to get the contents of the root.txt file.
Posts
read more
HTB Walkthrough - Devvortex
Information Gathering
Scanned all TCP ports:
#nmap scan
nmap -sV -sC -v -p- -T4 -oN nmap/initial $IP --open
#nmap results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
TCP Port 80 - HTTP
Posts
read more
HTB Walkthrough - Analytics
Information Gathering
Scanned all TCP ports:
#nmap scan
nmap -sV -sC -v -p- -oN nmap/initial $IP --open
#nmap results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://analytical.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
TCP Port 80 - HTTP
Posts
HTB Walkthrough - Sunday
Information Gathering Scanned all TCP ports:
#nmap scan nmap -sV -sC -v -p- -T4 -oN nmap/initial $IP --open #nmap results PORT STATE SERVICE VERSION 79/tcp open finger? |_finger: No one logged on\x0D | fingerprint-strings: | GenericLines: | No one logged on | GetRequest: | Login Name TTY Idle When Where | HTTP/1.0 ??? | HTTPOptions: | Login Name TTY Idle When Where | HTTP/1.0 ??? | OPTIONS ??? | Help: | Login Name TTY Idle When Where | HELP ?
read more