SecWalk.com

Category: Retired HTB Walkthroughs

HTB Walkthrough Book 10.10.10.176

Summary Foothold After the Nmap scan we see there are only 2 ports open. after poking around we discover the sign up page is vulnerable to an SQL truncation Attack User Once we are logged into the admin and normal site we discover an XSS vulnerability, cause this vulnerability we were able to get the id_rsa key and login to the box Root After some enumeration we discover there is a vulnerability in the log rotate application after exploiting this we were able to take over the machine completely. Enumeration Nmap nmap -sC -sV -p- 10.10.10.176 Web 10.10.10.176 http://10.10.10.176/admin Turns… Read More

HTB Walkthrough ForwardSlash 10.10.10.183

Summary Foothold after some web enumeration we find out there is a backup site which still contains a LFI, after looking around we see there is a dev folder which contains a index.php file, in that file we were able to find credentials. User after successful login we still need to become another user to get more privileges we find out this user must be called pain and he owns a binary called backup, when we run that program we see it would be able to read a file when we have the right time stamp, after abusing that we… Read More

HTB Walkthrough Tabby 10.10.10.194

Summary Tabby is launched on the 20th of June and is rated as an Easy Box. Foothold Nmap shows there are only 3 ports open, 22,80,8080. on port 80 we see a webpage that is vulnerable to LFI User After finding the LFI and the right file we get credentials for the tomcat server which is running on port 8080. we were able to obtain a shell with metasploit. After some enumeration we found a zip file. after successfully brute forcing the password we were able to switch to the user ash and get the user flag. Root Ash id… Read More

HTB Walkthrough ServMon 10.10.10.184

Servmon has been released on 11th of April and has been retired on 20th of June. Servmon is an Easy rated machine. Foothold First we see we have anonymous access to FTP, there is a file that mentions there should be a passwords.txt on the desktop of nathan, after the web enumeration we find out there is a directory traversal. We can use this vulnerability to get the passwords.txt from nathans’s his desktop User After finding those passwords we still had to guess to who these belong, we have used crackmapexec for this. it turns out we have credentials for… Read More

HTB Walkthrough Dyplesher 10.10.10.190

Summary Dyplesher is released on 23 th of may in 2020 Foothold This machine was insane rated. in order to gain a foothold we had to dump .git folder. User After a lot of enumeration and a few logins we finally arrived to the login page where we can upload a malicious plugin so we can get a web shell with code execution, this way I could write my ssh key to this user and were able to login on the box, after looking around we see that we have a group called wireshark, this means we can intercept packets… Read More

HTB Walkthrough Blackfield 10.10.10.192

Box Summary: Blackfield has been released on 6th of june in 2020, Blackfield is rated as Hard. From nmap we can assume that we are dealing with a AD machine, after some enumeration we can connect to SMB anonymously, when we connect to profiles$ we see a lot usernames but a few stands out since they don’t start with capital letters. after some more enumeration we found out that we could try kerbroasting attack. after getting user credentials we needed some logical thinking, what can we do with this user? turns out we can change a password. after that we… Read More

HTB Walkthrough Fuse 10.10.10.193

Box Summary: Fuse has been released on 13th of june in 2020 Fuse is rated as Medium. From nmap we can see we are dealing with a AD machine, after visiting port 80 we get redirected to a DNS name, adding this DNS name to our HOST file and we were able to view the page, it’s a printer page wich contains print job history with value data like usernames. After poking around a bit we could concluded we needed a password, sinds Kerbroasting attack didn’t work we needed something else. after trying a lot we created a password list… Read More

HTB Walkthrough Magic 10.10.10.185

Enumeration Nmap Scan nmap -sV -sC  10.10.10.185 Web page After this I ran gobuster, in order to enumerate the web page for files and directories. gobuster dir -u http://10.10.10.185/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt.html We see some interesting pages:                 upload.php                 login.php The login page. Bypassing Login Page We can bypass this login page, by SQL injection. Resource: https://portswigger.net/support/using-sql-injection-to-bypass-authentication Username: ‘ or ”=’ Password: ‘ or ”=’ After we have logged into the website, we see an upload page. Where we can upload an image. Exploitation I tried simple uploading bypass to add .jpg at the end of the file.… Read More

HTB Walkthrough Cronos 10.10.10.13

Box summary: Cronos has been released in 2017, Cronos is rated as medium. By scanning the machine we found out that there is DNS running on the system,By querying the DNS server, we found out there is an subdomain called; admin.cronos.htb. That subdomain is vulnerable to a SQL injection bypass. After we successfully bypass the login page, we found out that there was a ping tool that is vulnerable to code execution which enables us to gain a user level system access. Since we have user level access we want to expand that to root level system access, we where… Read More