Posts for: #Htb

HTB: Poison

#htb  #medium  #freebsd  #lfi  #vnc  #ssh-tunneling  #base64 
ターゲット // Poison
PlatformHTB
OSFreeBSD
DifficultyMedium
IP10.129.1.254

Enumeration

Nmap

▶ Nmap output
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

OS: FreeBSD

[]

HTB: Busqueda

#htb  #easy  #linux  #command-injection  #gitea  #relative-path  #docker 
ターゲット // Busqueda
PlatformHTB
OSLinux
DifficultyEasy
IP10.129.228.217

Recon

Nmap

1

nmap -sC -sV -oN nmap/initial 10.129.228.217
▶ Nmap output
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
80/tcp open  http    Apache httpd 2.4.52

Requests to the IP get redirected to searcher.htb – add it to /etc/hosts.

[]

HTB: Blue

#htb  #easy  #windows  #ms17-010  #eternalblue 
ターゲット // Blue
PlatformHTB
OSWindows
DifficultyEasy
IP10.129.44.168

Recon

Nothing special needed here – straight to enumeration.

Enumeration

Nmap

▶ Nmap output
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds

OS: Windows 7 Professional 7601 Service Pack 1 x64

[]

HTB: Seal

#htb  #medium  #linux  #tomcat  #403-bypass  #gitbucket  #ansible  #symlink 
ターゲット // Seal
PlatformHTB
OSLinux
DifficultyMedium
IP10.129.95.190

Enumeration

Nmap

▶ Nmap output
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8080/tcp open  http-proxy

Port 8080 - GitBucket

A GitBucket instance with open registration. After registering, we get access to repository info and commit history.

[]

HTB: Forest

#htb  #easy  #windows  #as-rep-roasting  #bloodhound  #dcsync  #writedacl  #active-directory 
ターゲット // Forest
PlatformHTB
OSWindows
DifficultyEasy
IP10.129.157.109

Recon

Standard AD box – DNS, Kerberos, LDAP, SMB all present. Domain: htb.local.

Enumeration

Nmap

▶ Nmap output
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm

OS: Windows Server 2016 Standard 14393 x64

[]

HTB: Knife

#htb  #easy  #linux  #php-backdoor  #gtfobins 
ターゲット // Knife
PlatformHTB
OSLinux
DifficultyEasy
IP10.129.44.1

Recon

Nmap

1

nmap -sC -sV -oN nmap/initial 10.129.44.1
▶ Nmap output
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH
80/tcp open  http    Apache httpd 2.4.6

OS: Linux (Ubuntu, kernel 5.4.0-80-generic)

[]

HTB: Forge

#htb  #medium  #linux  #ssrf  #ssrf-redirect  #ftp  #python-pdb 
ターゲット // Forge
PlatformHTB
OSLinux
DifficultyMedium
IP10.129.106.197

Recon

Subdomain brute-force reveals admin.forge.htb, but it only responds to requests from localhost:

1
2

curl http://forge.htb -H 'Host: admin.forge.htb'
# Only localhost is allowed!

Enumeration

Nmap

▶ Nmap output
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3
80/tcp open     http    Apache httpd 2.4.41

OS: Ubuntu 20.04 (Focal)

[]