HTB – Sense– without Metasploit

As usual we’ll make a nmap scan session for the target machine open ports.

discovered only 80 and 443 ports. Visiting the address on the browser give us the access page of the pfsense firewall.

let’s run a web bruteforce discovery with gobuster. In this case we used the php and txt extensions.

gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x php,txt

the scan reported two interesting pages.
/changelog.txt (Status: 200)
/system-users.txt (Status: 200)

system-users.txt give us the right credentials to access the firewall admin panel.

user: rohit
pass: pfsense

after this we tried to discover the actual version of the firewall. It’s the 2.1.3

on exploit-db.com there’s an exploit suitable for our target version:

so we gave the correct parameters for access the remote machine vulnerability. Be careful…the python version to use is python3 or you obtain an error lauching the command.

it’s root!

HTB – Blocky – without Metasploit

here’s a new episode related to the hackthebox machine Blocky.
As always I’m figuring to avoid the use of metasploit in order to better understand the hacking process.

some open ports. I make a full scan with max retries = 1 in order to make a quick scan of the whole machine.
On port 80 there’s a website made by wordpress.
so I always start Nikto for the port 80 and in this case I add a scan with WPscan.


let’s keep them but we’ll try to exploit other vector before.

FTP:
the ftp version is vulnerable but the exploit doesn’t work.


so we decided to move to a web application brute forcing with dirbuster

the plugins directory contains two files. Download them!

jar files can be extracted (https://docs.oracle.com/javase/tutorial/deployment/jar/unpack.html)

this is the content of Blockycore.class
there’s a root and something that seems to be a password… try it on ssh

the password doesn’t work with root user. But on wpscan we discovered the user notch. and it works!

we have the password so we try to check if the user is in the sudoers group

so with a simple “sudo su”

HTB – Legacy writeup (without Metasploit)

LEVEL: Beginner

In this writeup we’ll start with Sparta, a tool for automatic enumeration.
I usually run Sparta after the first nmap scan, in order to get more information in a very fast manner. Sparta launchs nmap and other tools like Nikto after discovering a port compatible with that particular tool (port 80 or 443 in Nikto case).

as we can see not so much options except smb protocol.
The other important thing is that we discovered the target os (Windows XP).

No shares seems to be available on the machine. No anonymous login allowed.

It’s time to get more into enumeration. Nmap has many vuln NSE script that can make easier our enumeration phase.
locate the scripts with:

let’s lanch vuln script against our target on port 445.

there are two BIG vulns, the first one related to ms08-67 an old vuln discovered in 2008. Is possible to solve this with metasploit (I don’t want to do this). For those who are studying for the OSCP it nice to avoid the use of metasploit and is not always easy to discover how to solve machines without this tool.
The other discovered vulnerability is on SMBv1 server (ms17-010) that is the vuln that allowed the spred of the wannacry ransomware in 2017.
let’s try to exploit this

This page https://github.com/helviojunior/MS17-010 collects a lot of different exploits related to the EternalBlue vulns.

This particular exploit was tested on XP
https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py

the python script asks for IP and the executable file. So, if we generate the malicious file we cand send it to the victim and we have RCE.

create the payload with msfvenom

were X.X.X.X is the attacking machine address in order to receive the reverse shell. Open a listener on port 443 and launch the command:

with systeminfo we can discover information of our target



we are able to reach the administrator\Desktop folder so we are root on the machine.

enjoy!