| ターゲット // Pelican | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Linux |
| Difficulty | Medium |
| IP | 192.168.53.98 |
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
2181/tcp open eforward
2222/tcp open EtherNetIP-1
8080/tcp open http-proxy
8081/tcp open blackice-icecap
44091/tcp open unknown
Nmap reveals nginx on 8081 redirecting to Exhibitor’s web UI:
| ターゲット // Twiggy | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Linux |
| Difficulty | Easy |
| IP | 192.168.192.62 |
| |
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
53/tcp open domain
80/tcp open http nginx 1.16.1
|_http-title: Home | Mezzanine
4505/tcp open zmtp ZeroMQ ZMTP 2.0
4506/tcp open zmtp ZeroMQ ZMTP 2.0
8000/tcp open http nginx 1.16.1
A blog running Mezzanine CMS with an admin login page. No weak credentials, no version info exposed. Moving on.
| ターゲット // Busqueda | |
|---|---|
| Platform | HTB |
| OS | Linux |
| Difficulty | Easy |
| IP | 10.129.228.217 |
| |
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
80/tcp open http Apache httpd 2.4.52
Requests to the IP get redirected to searcher.htb – add it to /etc/hosts.
| ターゲット // Bratarina | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Linux |
| Difficulty | Easy |
| IP | 192.168.206.71 |
| |
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
25/tcp open smtp OpenSMTPD
|_ 2.0.0 This is OpenSMTPD 2.0.0
53/tcp closed domain
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu
A Flask-based forum. No useful content, weird behavior with empty Host: header. Rabbit hole – moving on.
| ターゲット // Seal | |
|---|---|
| Platform | HTB |
| OS | Linux |
| Difficulty | Medium |
| IP | 10.129.95.190 |
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8080/tcp open http-proxy
A GitBucket instance with open registration. After registering, we get access to repository info and commit history.
| ターゲット // Knife | |
|---|---|
| Platform | HTB |
| OS | Linux |
| Difficulty | Easy |
| IP | 10.129.44.1 |
| |
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH
80/tcp open http Apache httpd 2.4.6
OS: Linux (Ubuntu, kernel 5.4.0-80-generic)
| ターゲット // Banzai | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Linux |
| Difficulty | Medium |
| IP | 192.168.89.56 |
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
25/tcp open smtp Postfix smtpd
5432/tcp open postgresql PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.19
8080/tcp open http Apache httpd 2.4.25
8295/tcp open http Apache httpd 2.4.25 ((Debian))
No anonymous access. No public exploits for vsftpd 3.0.3 (aside from DoS).
| ターゲット // ClamAV | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Linux |
| Difficulty | Easy |
| IP | 192.168.57.42 |
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3
80/tcp open http Apache httpd 1.3.33 ((Debian GNU/Linux))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux Linux SNMP multiplexer
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
60000/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
PORT STATE SERVICE VERSION
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
161/udp open snmp SNMPv1 server (public)
Sendmail 8.13.4 is ancient. Searchsploit reveals multiple exploits, and importantly – one that involves ClamAV (hint from the box name):
| ターゲット // Forge | |
|---|---|
| Platform | HTB |
| OS | Linux |
| Difficulty | Medium |
| IP | 10.129.106.197 |
Subdomain brute-force reveals admin.forge.htb, but it only responds to requests from localhost:
| |
21/tcp filtered ftp
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3
80/tcp open http Apache httpd 2.4.41
OS: Ubuntu 20.04 (Focal)