Hackthebox

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali/UnderPass ❯ nmap underpass.htb -sSCV -Pn -T4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-22 11:26 CST Nmap scan report for underpass.htb (10.10.11.48) Host is up (0.12s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA) |_ 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.04 seconds TCP开放端口：22、80 ...

Sherlock Scenario 我们的SIEM提醒我们注意一个需要立即查看的可疑登录事件。警报详细信息是IP地址和源工作站名称不匹配。您将收到事件时间范围内周围时间的网络捕获和事件日志。对给定的证据进行核化，并向SOC经理报告。 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Instant ❯ nmap instant.htb -sSCV -Pn -T4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 11:39 CST Nmap scan report for instant.htb (10.10.11.37) Host is up (0.097s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA) |_ 256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519) 80/tcp open http Apache httpd 2.4.58 |_http-title: Instant Wallet |_http-server-header: Apache/2.4.58 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds 开放端口：22、80 ...

About 达到HTB的Hacker等级后可以进入Advanced Labs，本文是关于Fortresses（堡垒）中的Jet挑战 Connect Nmap扫描结果如下 [root@kali] /home/kali/Jet ❯ nmap 10.13.37.10 -T4 -Pn -sS Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 15:06 CST Nmap scan report for jet.com (10.13.37.10) Host is up (0.38s latency). Not shown: 994 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 2222/tcp open EtherNetIP-1 5555/tcp open freeciv 7777/tcp open cbt 使用浏览器打开80端口即可获得flag ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap Chemistry.htb -sS -Pn -T4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-17 20:11 CST Nmap scan report for Chemistry.htb (10.10.11.38) Host is up (0.10s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 5000/tcp open upnp Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds 开放端口：22、5000 ...

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Heal ❯ nmap -sSCV -Pn heal.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 17:29 CST Nmap scan report for heal.htb (10.10.11.46) Host is up (0.085s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 68:af:80:86:6e:61:7e:bf:0b:ea:10:52:d7:7a:94:3d (ECDSA) |_ 256 52:f4:8d:f1:c7:85:b6:6f:c6:5f:b2:db:a6:17:68:ae (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Heal |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.40 seconds 开放端口：22、80 ...

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap -sSCV -Pn LinkVortex.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-08 21:44 CST Nmap scan report for LinkVortex.htb (10.10.11.47) Host is up (0.088s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA) |_ 256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519) 80/tcp open http Apache httpd |_http-server-header: Apache | http-title: BitByBit Hardware |_Requested resource was http://linkvortex.htb/ | http-robots.txt: 4 disallowed entries |_/ghost/ /p/ /email/ /r/ |_http-generator: Ghost 5.58 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds Subdomain Fuzz [root@kali] /home/kali/LinkVortex ❯ ffuf -u http://linkvortex.htb/ -w ./fuzzDicts/subdomainDicts/main.txt -H "Host:FUZZ.linkvortex.htb" -mc 200 ⏎ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://linkvortex.htb/ :: Wordlist : FUZZ: /home/kali/LinkVortex/fuzzDicts/subdomainDicts/main.txt :: Header : Host: FUZZ.linkvortex.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 ________________________________________________ dev [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 73ms] :: Progress: [167378/167378] :: Job [1/1] :: 500 req/sec :: Duration: [0:05:55] :: Errors: 46 :: 发现存在：dev.linkvortex.htb，添加到/etc/hosts ...

Box Info OS Windows Difficulty Medium As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09 Nmap ┌──(root㉿kali)-[/home/kali/Certified] └─# nmap -sSCV -Pn -p- Certified.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 20:00 CST Stats: 0:02:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 90.13% done; ETC: 20:02 (0:00:15 remaining) Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 61.90% done; ETC: 20:04 (0:00:25 remaining) Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 61.90% done; ETC: 20:04 (0:00:25 remaining) Nmap scan report for Certified.htb (10.10.11.41) Host is up (0.083s latency). Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-06 18:49:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49715/tcp open msrpc Microsoft Windows RPC 49737/tcp open msrpc Microsoft Windows RPC 49772/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-12-06T18:49:56 |_ start_date: N/A |_clock-skew: mean: 6h45m58s, deviation: 0s, median: 6h45m58s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 254.91 seconds GetAllUserName ┌──(root㉿kali)-[~kali/Certified] └─# crackmapexec smb certified.htb -u "judith.mader" -p "judith09" --rid-brute | grep SidTypeUser SMB Certified.htb 445 DC01 500: CERTIFIED\Administrator (SidTypeUser) SMB Certified.htb 445 DC01 501: CERTIFIED\Guest (SidTypeUser) SMB Certified.htb 445 DC01 502: CERTIFIED\krbtgt (SidTypeUser) SMB Certified.htb 445 DC01 1000: CERTIFIED\DC01$ (SidTypeUser) SMB Certified.htb 445 DC01 1103: CERTIFIED\judith.mader (SidTypeUser) SMB Certified.htb 445 DC01 1105: CERTIFIED\management_svc(SidTypeUser) SMB Certified.htb 445 DC01 1106: CERTIFIED\ca_operator (SidTypeUser) SMB Certified.htb 445 DC01 1601: CERTIFIED\alexander.huges (SidTypeUser) SMB Certified.htb 445 DC01 1602: CERTIFIED\harry.wilson (SidTypeUser) SMB Certified.htb 445 DC01 1603: CERTIFIED\gregory.cameron (SidTypeUser) Bloodhound ┌──(root㉿kali)-[~kali/Certified] └─# bloodhound-python -u judith.mader -p 'judith09' -c All -d certified.htb -ns 10.10.11.41 INFO: Found AD domain: certified.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) INFO: Connecting to LDAP server: dc01.certified.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.certified.htb INFO: Found 10 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.certified.htb INFO: Done in 00M 17S 导入到bloodhoundGUI里面进行分析 ...

Box Info OS Windows Difficulty Medium As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich Nmap ┌──(root㉿kali)-[/home/kali/Administrator] └─# nmap -sSCV -Pn administrator.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 15:51 CST Nmap scan report for administrator.htb (10.10.11.42) Host is up (0.072s latency). Not shown: 988 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-05 14:37:40Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: 6h46m00s | smb2-time: | date: 2024-12-05T14:37:51 |_ start_date: N/A Crackmapexec 通过SMB服务，获取到了当前存在的用户信息 ...

Box Info OS Windows Difficulty Hard As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123 Nmap Scan └─# nmap -sC -sV -T4 -Pn vintage.htb -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-04 01:49:22Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open unknown 49668/tcp open unknown 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49681/tcp open unknown 50907/tcp open unknown 65103/tcp open unknown Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: -13m55s | smb2-time: | date: 2024-12-04T01:49:48 |_ start_date: N/A 发现在3269端口这一行，存在一个名为：DC01 的域控主机，添加到/etc/hosts中 ...