Linux CTF

Step 1. Reconnaissance & Enumeration nmap -Pn -n -p- -g 53 mango.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` mango.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/ssl Apache httpd (SSL-only mode) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel The Nmap scan reveals ports 22, 80 and 443 running their usual services. Additionally, Nmap found a vhost named staging-order.mango.htb referred to in the SSL certificate. Let’s add mango.htb and staging-order.mango.htb to /etc/hosts , and proceed with our enumeration. ...

Step 1. Reconnaissance & Enumeration nmap -Pn -n -p- -g 53 traverxec.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` traverxec.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel On looking for nostromo exploit we found RCE vulnerability. ...

Step 1. Reconnaissance & Enumerati It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. nmap -Pn -n -p- -g 53 registry.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` registry.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA) | 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA) |_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! 443/tcp open ssl/http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! | ssl-cert: Subject: commonName=docker.registry.htb | Not valid before: 2019-05-06T21:14:35 |_Not valid after: 2029-05-03T21:14:35 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Interesting. An Active Directory forest as the name suggests with one domain HTB? We find the users using one of the below method. ...