Explore HTB - Walkthrough

-
Image
Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!   ____________________________________________________________________________________  # RECON # OS = Android  version =  4.9.214-android-x86_64-g04f9324  ____________________________________________________________________________________  ## PORTS ##  3 ports open  2222 tcp SSH-2.0-SSH Server - Banana Studio  44491 tcp  42135/tcp open http ES File Explorer Name Response httpd  59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  ____________________________________________________________________________________  #EXPLOITATION# The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here    run python3 exploit.py listPics 10.10.10.247  We can see a couple of pics in that di...
Post a Comment

Cap HTB Walkthrough

-


Hi Ya'll. This is going to be a quick walkthrough of the Cap Box. This box is rated as easy. Let's Get into it! 
 # Recon # 
 Let's start off by kicking off a quick nmap. By looking at the results below we can see that our target has 3 ports open.    _____________________________________________________________________________________
## PORTS ##

21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http gunicorn

_____________________________________________________________________________________
## Content Discovery ##

Let's start by running dirsearch to see what we can find on this port.


As you can see in the picture above. we found the path /data/2. This allows us to download a pcap file. This allows us to analyse the traffic and look for information we can use to further attack this box. 
Looking at all of the pcap files available on this application, we come across the /data/0. As you can see in the picture below this has a lot less packets to inspect. So let's download this one and look at the traffic. 


When in Wireshark, apply a filter on FTP packets. You will find the following:

CREDS!!!
User : nathan
Pass : Buck3tH4TF0RM3!

Using these creds we can gain access to the ftp service of this box. Let's see what we can find. 

It seems the nathan user is serving his home directory!? And as it turns out, nathan is reusing his password! We can use the same credentials to ssh into the box!


 ## Privilege Escalation ##

Now that we have a foothold onto the machine let's try and escalate our privileges to root!

in order to do this we first have to enumerate the box. But you are here to save time so let me help you!

I searched for the sudo permissions, SUID binaries and capabilities that I could use to escalate our privileges. Fortunately, this box has the python3.8 binary with the cap_setuid set! 
A quick search on gtfobins led me to the root shell. You can read about it --> Here  

Simply run:
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Voila! we are root!


There you go peeps! I hope you enjoyed this quick walkthrough of this box. And as always, hopefully this was useful and you learned something new! See you in the next one!

Cheers,

Styx


Comments

Post a Comment

Popular posts from this blog

Explore HTB - Walkthrough

-
Image
Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!   ____________________________________________________________________________________  # RECON # OS = Android  version =  4.9.214-android-x86_64-g04f9324  ____________________________________________________________________________________  ## PORTS ##  3 ports open  2222 tcp SSH-2.0-SSH Server - Banana Studio  44491 tcp  42135/tcp open http ES File Explorer Name Response httpd  59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  ____________________________________________________________________________________  #EXPLOITATION# The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here    run python3 exploit.py listPics 10.10.10.247  We can see a couple of pics in that di...
Read more

Schooled HTB -Writeup

-
Image
Hey guys Styx here, In this write-up I'll walk you through the steps in order to root the Schooled box. This box is rated medium and is in my opinion,a realistic scenario. Hopefully this write-up can be of educational value to you. Let's get into it! # Start Enum # Like every pen-test we start off with some reconnaissance. We scan for open ports and services that are exposed by the target machine. In the picture you can see the Nmap results.    nmap output In the Nmap results we see that our target has 2 ports open. The first thing I tried was to check for content on port 80. but our content discovery on the initial port led nowhere. so lets' enumerate possible subdomains.     ## SUBDOMAIN ENUM ## ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://schooled.htb/ -H 'Host: FUZZ.schooled.htb' -fs 20750 A very useful and quick tool to perform this enumeration is the tool FFUF. Check it out on github. As you can see on the pic above w...
Read more

Seal HTB Walkthrough

-
Image
Hey dudes and dudettes. In this post we'll be walking through the Seal Box. This box is rated as medium.  ## RECON ## Let's start with a quick nmap and see what ports and services are open.  ____________________________________________________________________________________ PORT     STATE SERVICE    REASON  VERSION 22/tcp   open  ssh        syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:  |   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1FohcrXkoPYUOtmzAh5PlCU2H0+sFcGl6XXS6vX2lLJ3RD2Vd+KlcYtc2wQLjcYJhkFe793jmkogOSh0uI+fKQA9z1Ib3J0vtsIaNkXxvSMPcr54QxXgg1guaM1OQl43ePUADXnB6WqAg8QyF6Nxoa18vboOAu3a8Wn9Qf9iCpoU93d5zQj+FsBKVaDs3zuJkUBRfjsqq7rEMpxqCfkFIeUrJF9MBsQhgsEVUbo1zicWG32m49PgDbKr9yE3lPsV9K4b9ugNQ3zwWW5a1OpOs+r3AxFcu2q65N2znV3/p41ul9+fWXo9pm0jJPJ3V5gZphDkXVZEw16K2hcgQcQJUH7luaVTRpzqDxXaiK/8wChtMXEUjFQKL6sn...
Read more