My blog journey

Step 1. Reconnaissance & Enumeration Let’s start with the nmap scan nmap -Pn -n -p- obscurity.htb --min-rate=1000 | grep "open" | cut -d '/' -f 1 | sort -n > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt Version scan reports following information. ▶ nmap -Pn -n -sC -sV -p `cat port_scan.txt` obscurity.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 33:d3:9a:0d:97:2c:54:20:e1:b0:17:34:f4:ca:70:1b (RSA) | 256 f6:8b:d5:73:97:be:52:cb:12:ea:8b:02:7c:34:a3:d7 (ECDSA) |_ 256 e8:df:55:78:76:85:4b:7b:dc:70:6a:fc:40:cc:ac:9b (ED25519) 8080/tcp open http-proxy BadHTTPServer | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Mon, 11 May 2020 06:37:57 | Server: BadHTTPServer | Last-Modified: Mon, 11 May 2020 06:37:57 | Content-Length: 4171 | Content-Type: text/html | Connection: Closed | <!DOCTYPE html> | <html lang="en"> | <head> | <meta charset="utf-8"> | <title>0bscura</title> nmap shows two ports open, SSH (22) and HTTP (8080). On visiting the page at 8080 we come to know that page doesn’t do much, but gives information about the Obscura Webserver. When I try to run gobuster things break. ...

Step 1. Reconnaissance & Enumeration Let’s start with the nmap scan nmap -Pn -n -p- control.htb --min-rate=1000 | tee port_scan.txt cat port_scan.txt | grep "open" | tr '/' ' ' > port_scan.txt cat port_scan.txt | cut -d ' ' -f 1 | sort -n > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt Version scan reports following information. ▶ nmap -Pn -n -sC -sV -p `cat port_scan.txt` 10.10.10.167 -oA version_scan PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Fidelity 135/tcp open msrpc Microsoft Windows RPC 3306/tcp open mysql? | fingerprint-strings: | Help, RPCCheck, oracle-tns: |_ Host '10.10.16.14' is not allowed to connect to this MariaDB server 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=4/7%Time=5E8C5811%P=x86_64-pc-linux-gnu%r(RPC SF:Check,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20al SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A," SF:F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20allowed\x20t SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(oracle-tns,4A,"F\0\ SF:0\x01\xffj\x04Host\x20'10\.10\.16\.14'\x20is\x20not\x20allowed\x20to\x2 SF:0connect\x20to\x20this\x20MariaDB\x20server"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows WhatWeb reveals that PHP version 7.3.7 is installed. The IIS version is 10.0, which indicates that this is Windows Server 2016 or Windows Server 2019. ...

Step 1. Reconnaissance & Enumeration nmap -Pn -n -p- -g 53 mango.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` mango.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/ssl Apache httpd (SSL-only mode) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel The Nmap scan reveals ports 22, 80 and 443 running their usual services. Additionally, Nmap found a vhost named staging-order.mango.htb referred to in the SSL certificate. Let’s add mango.htb and staging-order.mango.htb to /etc/hosts , and proceed with our enumeration. ...

Step 1. Reconnaissance & Enumeration nmap -Pn -n -p- -g 53 traverxec.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` traverxec.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) |_ 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) 80/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: TRAVERXEC Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel On looking for nostromo exploit we found RCE vulnerability. ...

Step 1. Reconnaissance & Enumerati It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. nmap -Pn -n -p- -g 53 registry.htb --min-rate 1000 -oA port_scan cat port_scan.nmap | grep "open" | cut -d '/' -f 1 > port_scan.txt cat port_scan.txt | tr '\n' ',' | sed s/,$// > port_scan.txt nmap -Pn -n -sC -sV -p `cat port_scan.txt` registry.htb -oA version_scan PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA) | 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA) |_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! 443/tcp open ssl/http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! | ssl-cert: Subject: commonName=docker.registry.htb | Not valid before: 2019-05-06T21:14:35 |_Not valid after: 2029-05-03T21:14:35 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Interesting. An Active Directory forest as the name suggests with one domain HTB? We find the users using one of the below method. ...

Step 1. Reconnaissance & Enumeration It was found that nmap is taking long time. Therefore used masscan to scan all ports of forest machine. masscan -e tun0 -p1-65535,U:1-65535 10.10.10.161 --rate=1000 nmap -Pn -n -sC -sV -p<port numbers></port> 10.10.10.151 -oA version_scan Host script results: |_clock-skew: mean: 2h29m01s, deviation: 4h02m30s, median: 9m01s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2020-03-31T04:29:33-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-03-31T11:29:38 |_ start_date: 2020-03-31T09:14:45 Interesting. An Active Directory forest as the name suggests with one domain HTB? We find the users using one of the below method. ...