Category: Retired HTB Walkthroughs

HTB Walkthrough Book

Summary Foothold After the Nmap scan we see there are only 2 ports open. after poking around we discover the sign up page is vulnerable to an SQL truncation Attack User Once we are logged into the admin and normal site we discover an XSS vulnerability, cause this vulnerability we were able to get the id_rsa key and login to the box Root After some enumeration we discover there is a vulnerability in the log rotate application after exploiting this we were able to take over the machine completely. Enumeration Nmap nmap -sC -sV -p- Web Turns… Read More

HTB Walkthrough ForwardSlash

Summary Foothold after some web enumeration we find out there is a backup site which still contains a LFI, after looking around we see there is a dev folder which contains a index.php file, in that file we were able to find credentials. User after successful login we still need to become another user to get more privileges we find out this user must be called pain and he owns a binary called backup, when we run that program we see it would be able to read a file when we have the right time stamp, after abusing that we… Read More

HTB Walkthrough Tabby

Summary Tabby is launched on the 20th of June and is rated as an Easy Box. Foothold Nmap shows there are only 3 ports open, 22,80,8080. on port 80 we see a webpage that is vulnerable to LFI User After finding the LFI and the right file we get credentials for the tomcat server which is running on port 8080. we were able to obtain a shell with metasploit. After some enumeration we found a zip file. after successfully brute forcing the password we were able to switch to the user ash and get the user flag. Root Ash id… Read More

HTB Walkthrough ServMon

Servmon has been released on 11th of April and has been retired on 20th of June. Servmon is an Easy rated machine. Foothold First we see we have anonymous access to FTP, there is a file that mentions there should be a passwords.txt on the desktop of nathan, after the web enumeration we find out there is a directory traversal. We can use this vulnerability to get the passwords.txt from nathans’s his desktop User After finding those passwords we still had to guess to who these belong, we have used crackmapexec for this. it turns out we have credentials for… Read More

HTB Walkthrough Dyplesher

Summary Dyplesher is released on 23 th of may in 2020 Foothold This machine was insane rated. in order to gain a foothold we had to dump .git folder. User After a lot of enumeration and a few logins we finally arrived to the login page where we can upload a malicious plugin so we can get a web shell with code execution, this way I could write my ssh key to this user and were able to login on the box, after looking around we see that we have a group called wireshark, this means we can intercept packets… Read More

HTB Walkthrough Fuse

Box Summary: Fuse has been released on 13th of june in 2020 Fuse is rated as Medium. From nmap we can see we are dealing with a AD machine, after visiting port 80 we get redirected to a DNS name, adding this DNS name to our HOST file and we were able to view the page, it’s a printer page wich contains print job history with value data like usernames. After poking around a bit we could concluded we needed a password, sinds Kerbroasting attack didn’t work we needed something else. after trying a lot we created a password list… Read More

HTB Walkthrough Magic

Enumeration Nmap Scan nmap -sV -sC Web page After this I ran gobuster, in order to enumerate the web page for files and directories. gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt.html We see some interesting pages:                 upload.php                 login.php The login page. Bypassing Login Page We can bypass this login page, by SQL injection. Resource: Username: ‘ or ”=’ Password: ‘ or ”=’ After we have logged into the website, we see an upload page. Where we can upload an image. Exploitation I tried simple uploading bypass to add .jpg at the end of the file.… Read More