Description Plattform: Hack the BoxLink: https://app.hackthebox.com/machines/123Difficulty: Medium 🟠 Enumeration NMAP We’ll find just two ports open: The ports indicate an application called Achat. A quick Google search reveals that Achat is a Windows-based chat application that supports direct messaging and file sharing within a local network. A working exploit can quickly be found using Searchsploit. …
Introduction The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access. Enumeration NMAP The scan shows that some mail ports …
Introduction This is a second server that is accessible to everyone in the internal network. The client was informed that such servers are often targeted by attackers and has included this server in the scope. The goal is to gather information about the server and exploit any potential vulnerabilities. Additionally, a user named HTB has …
Introduction Inlanefreight Ltd has commissioned a penetration test on their internal network to assess security. The focus is on an internal DNS server, with the goal of gathering information without using aggressive attacks or exploits. Credentials (“ceil:qwer1234”) have been found, and there are indications of SSH keys. A file named `flag.txt` is located on the …
Important Note Enumeration NMAP Share Enumeration User Enumeration Foothold To establish a foothold, use the credentials and spawn a shell on the system using Evil-WinRM. This provides a list of existing users on the system, but the relationship between them and your access is still missing. For this, BloodHound is the best tool to use. …
Enumeration NMAP SMB Anonymous login to the share /HR is possible. To view the file, its better to download it. The file contains a password for a user, but the user is not known. Searched for usernames in the infrastructure, but unfortunately found nothing. Attempting to enumerate usernames using Impacket. The following users can be …
Enumeration NMAP Directory Listing I think that was a bug, because when I started the mashine again the next day, this directory was gone. CIF Analyzer Checking whether simple credentials like admin or admin:password work, but that is not the case. So, a separate user must be created to access the page. I tested uploading …
Enumeraton NMAP Website Nothing particularly interesting, except further down, where you are redirected to a subdomain via the button for SQLPAD. The tool appears to allow the execution of SQL queries. The version can be viewed by clicking the three dots in the top-right corner. Exploit There is a CVE associated with this version: CVE-2022-0944 …
General Windows Mashinehttps://app.hackthebox.com/machines/3 Walkthru We start as usual with our nmap-scan We found FTP with enabled anonymous login, lets use this for us. Download all files from the FTP to our current directoy There are only the FIles from the web server. After a test if you can write on the FTP with MSFVENOM create …
General Active Directory Maschinehttps://app.hackthebox.com/machines/148 Walkthru First of all perform nmap-scan SMB 445 is open, lets check if we can login with anonymous-login Works! Lets login to the directory that we saw Download all files, and check them locally We found some information in the Groups.xml. Lets try to decrypt the hash. Looks like we found …