Defalt_

thm What we can learn from this machine : enumerations local-file-inclusion (LFI) socat # Nmap 7.91 scan initiated Fri Jun 11 15:50:08 2021 as: nmap -sC -sV -sT -A -oN nmap/nmap-output 10.10.65.107 Nmap scan report for 10.10.65.107 Host is up (0.16s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA) | 256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA) |_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519) 80/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9) |_http-title: My blog Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jun 11 15:50:44 2021 -- 1 IP address (1 host up) scanned in 36.00 seconds Looks like we got the port 80 http web

thm What I learn from this machine: Enumerations Stregnography Python3 script to bruteforce url Screen version 4.5.0 Local Privilege Escalation Let’s start with a nmap scan. # Nmap 7.91 scan initiated Thu Jun 10 17:45:19 2021 as: nmap -sC -sV -A -oN scans/nmap-output 10.10.17.235 Nmap scan report for 10.10.17.235 Host is up (0.15s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ac:f9:85:10:52:65:6e:17:f5:1c:34:e7:d8:64:67:b1 (RSA) | 256 dd:8e:5a:ec:b1:95:cd:dc:4d:01:b3:fe:5f:4e:12:c1 (ECDSA) |_ 256 e9:ed:e3:eb:58:77:3b:00:5e:3a:f5:24:d8:58:34:8e (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https

thm Always start with a nmap scan. # Nmap 7.91 scan initiated Thu Jun 10 16:35:31 2021 as: nmap -sC -sV -A -oN scans/nmap-output 10.10.55.156 Nmap scan report for 10.10.55.156 Host is up (0.18s latency). Not shown: 968 filtered ports, 29 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.2.182 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f

htb What we can learn from this machine Enumeration Python3 Capabilities Wireshark Always start with nmap scan. Let’s see what we got in machine. # Nmap 7.91 scan initiated Thu Jun 10 11:37:56 2021 as: nmap -sC -sV -oN Scans/nmap-output 10.10.10.245 Nmap scan report for 10.10.10.245 Host is up (0.15s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA) | 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA) |_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519) 80/tcp open http gunicorn | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 NOT FOUND | Server: gunicorn | Date: Thu, 10 Jun 2021 06:20:18 GMT | Connection: close | Content-Type: text/html; charset=utf-8 | Content-Length: 232 | &l

htb What we can learn from this machine Enumeration Wordpress MySQL Metasploit Let’s start with a nmap scan for look what we got in this machine. # Nmap 7.91 scan initiated Wed Jun 9 07:17:42 2021 as: nmap -sC -sV -A -oN scans/nmap-output 10.10.10.229 Nmap scan report for 10.10.10.229 Host is up (0.15s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) | ssh-hostkey: |_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA) 80/tcp open http nginx 1.17.4 |_http-server-header: nginx/1.17.4 |_http-title: Site doesn't have a title (text/html). 3306/tcp open mysql MySQL (unauthorized) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug) |_sslv2: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg

htb What we can learn from this machine Enumeration Burp Suite PHP Vulnerability Ruby - (Knife) Let’s start with a nmap scan. # Nmap 7.91 scan initiated Wed Jun 9 10:33:27 2021 as: nmap -sC -sV -A -Pn -oN scans/nmap-output 10.10.10.242 Nmap scan report for 10.10.10.242 Host is up (0.18s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Emergent Medical Idea Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jun 9 10:33:51 2

htb What we learn from this machine : Concepts Learnt : Enumeration Drupal exploit (metasploit) Snap privilege escalation python2 Let’s do this then. Always start with enumerations. # Nmap 7.91 scan initiated Wed Jun 9 08:29:39 2021 as: nmap -sC -sV -A -oN scans/nmap-output 10.10.10.233 Nmap scan report for 10.10.10.233 Host is up (0.15s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTAL