-
HTB Tenet
2021-06-22
Tenet starts off with a wordpress site. After some enumeration second domain is found and a PHP file vulnerable to object injection. From there, an attacker can get a shell, find credentials in a configuration file, and privesc to root by leveraging a race condition. Enumeration NMAP shows port 22 is open for SSH and port 80 is running an HTTP server displaying the default apache2 page. Starting Nmap 7.91 ( https://nmap.…
-
HTB ScriptKiddie
2021-06-16
In ScriptKiddie, we compromise a server run by a pair of script kiddies with an outdated version of msfvenom and chain several misconfigurations to achieve root access. Enumeration Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-07 15:33 UTC Nmap scan report for 10.10.10.226 Host is up (0.19s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) 5000/tcp open http Werkzeug httpd 0.…
-
HTB Delivery
2021-05-22
In Delivery, we will leverage missconfigurations in a ticketing system and internal communications channels to gain access to where we certainly shouldn’t be able to go. We will also see another example of where weak and reused passwords make our job easy. Enumeration Starting off with a standard NMAP scan and shows both a SSH server on port 22 and a web server on port 80. Starting Nmap 7.91 ( https://nmap.…
-
HTB Ready
2021-05-15
Ready is a GitLab instance were we exploit an SSRF in order to get code execution and find ourselves in a docker container. We find some credentials to escalate to root inside the container and then leverage the fact it was started with the “privileged” flag to escape the container. Enumeration Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-27 00:15 UTC Nmap scan report for 10.129.90.66 Host is up (0.095s latency).…
-
HTB Bucket
2021-04-24
Bucket is a very interesting box that replicates an AWS Cloud Stack. It’s also quick to the draw on file clean up so some scripting is useful to obtain a foothold. Nmap Starting off with the usual nmap scan shows two open ports. A bucket.htb web page on port 80 and SSH on port 22. sudo nmap -sC -sV 10.10.10.212 [sudo] password for nightwolf: Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 22:27 UTC Nmap scan report for 10.…
-
HTB Academy
2021-04-10
Academy is a Linux box that focuses a lot on enumeration and attention to detail for both foothold and privilege escalation, for root it has a simple GTFO bin and lastly it was a “special box” that served as a way for HTB to announce academy.hackthebox.eu Enumeration # Nmap 7.80 scan initiated Sat Nov 7 20:48:08 2020 as: nmap -sC -sV -oA Academy 10.129.20.80 Nmap scan report for 10.129.20.80 Host is up (0.…
-
HTB Passage
2021-03-24
Intro Passage is a Ubuntu box. It had a few privesc and a few tricks up it’s sleeve to prevent what you might typically do for initial enumeration. Enumeration A standard nmap scan shows that ssh is running on port 22 and an Apache web server is running on port 80. sudo nmap -sV -sC -Pn -oA Passage 10.10.10.206 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-19 17:14 MDT Nmap scan report for 10.…
-
HTB Doctor
2021-03-04
Doctor has a “secure” message board system that allows us to gain code execution. From there, we access logs, find credentials, and privilege escalate to root by taking advantage of our local access to Spulnkd. Enumeration sudo nmap -sC -sV 10.10.10.209 -oA Doctor Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-18 19:07 UTC Nmap scan report for 10.10.10.209 Host is up (0.11s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.…
-
HTB Omni
2021-01-09
Omni is a Easy machine from HTB. The info card features a question mark in place of the OS. It’s something a little bit different than normal. I would sharpen your PowerShell skill though. Enumeration We start off with an NMAP scan and see a whole bunch of open port on what seems to be a Windows machine. Nmap scan report for 10.10.10.204 Host is up (0.081s latency). Not shown: 65529 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 5985/tcp open upnp Microsoft IIS httpd 8080/tcp open upnp Microsoft IIS httpd | http-auth: | HTTP/1.…
-
HTB OpenKeyS
2020-12-25
OpenKeyS is an OpenBSD box that features CVE 2019-19521 as an vulnerability that allows you to gain access to user and ultimately root. Enumeration We start off with an NMAP scan we can see that there are two open ports. 22 for SSH and 80 for OpenBSD httpd. Nmap scan report for 10.10.10.199 Host is up (0.079s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.…