-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path#HTB
97 lines (89 loc) · 5.03 KB
/
#HTB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
devvortex.htb -> gobuster -> joomla -> apport-cliwith
bizness.htb -> ApacheOFBIZ vuln -> hashcat
crafty.htb -> maincraft -> log4j -> jar analize -> run as powershell
usage.htb -> sql injection -> exiftool -> .monitrc -> 7za
mailing.htb -> hmailserver -> MS Outlook RCE -> LibreOffice vuln
capiclean.htb -> XSS -> Cookie -> SSTI -> mysql -> qdf
board.htb -> dolibarr exp -> Enlightenment
freelancer.htb -> IDOR -> xp_cmdshell -> runAsCS -> AV bypass -> DMP Analize -> AD
runner.htb -> teamcity vuln -> backupfiles -> port forward -> portainer.io
blurry.htb -> ClearML -> /models/*.pth
solarlab.htb -> SMB -> ReportLab PDF Library VULN -> port forward -> openfire vuln
editorial.htb -> SSRF -> .git logs -> git documentation RCE
jab.htb -> jab XMPP comunikator -> Kerberos hash -> openfire vuln(CVE-2023-32315)
axlle.htb -> xll (xls) pishing -> HTA rev shell -> bloudhount -> AD password force change -> exe rev shell
blazered.htb -> blazor -> reverse engenering dll -> jwt -> sql injection -> bloodhount -> WriteSPN -> logon scrip -> mimikatz(dcsync)
jerry.htb -> apache manager -> upload war
cap.htb -> indor -> pcap analize -> ssh -> Capabilities (setuid)
permx.htb -> chamilo(learning platform) -> ssh with db pass -> simlink sh scrip -> su root
wifineticTwo. -> openplc defult logn -> exploit -> oneshot wifi -> ssh openwrt
keeper.htb -> default password -> users info -> ssh -> keepass hack -> putty gen ssh key
netmon.htb -> ftp -> procmon bakupfile -> password guess -> rce
Wifinetic.htb -> ftp -> passworf from backupfile -> ssh netadmin -> wifi hack -> su root
greenhorn.htb -> pluck -> module install -> su user -> depixel -> su root
knife.htb -> PHP RCE -> Telnet -> Knife priv escalation
sua.htb -> SSRF Request-Baskets -> exploit Maltrail -> systemctl priv escalation
bashed.htb -> phpbash -> updalod revshell -> edit python script
optimum.htb -> HFS Exploit -> Win sever 2012 priv escalation
cozyhosting. -> actuator cookie -> sql injection -> jar unzip -> psql user hash -> su -> ssh prvi escalation
searcher.htb -> serchor sql injection -> .git pass -> ssh -> rev shell in tmp file as argument
(lin) return.htb -> nc pass -> evil-winrm ->create service ->nc as nt system
(win) granny.htb -> IIS 6.0 rce -> generate rev shell ->curl put file -> Churrasco root rev shell
(lin) broker.htb -> Apache ActiveMQ RCE -> sudo nginix priv escalation -> ssh with key
(lin) antque.htb -> snmpwalk -> telnet -> chisel port forward -> cups exploit
(lin)Blocky.htb -> wp plugin -> author post -> ssh author -> sudo -l
(lin)Resource.htb -> usr/local/lib/php/pearcmd&+config-create -> ssh key gen and manipulation
(lin)Validation.htb -> sqlinjection -> nc -> su root
(lin)Shocker.htb -> apache cgi -> shellshock cgi cve -> sudo -l -> perl priv escalation
(lin)grandps.htb -> iis 6 rev shell -> churrasco.exe priv escalation
(lin)sea.htb -> Wonder CMS Exploit -> ssh -> Tunel 8080 -> comand injection
(lin) mirai.htb -> pi hole -> ssh as pi user -> restore usb -> strings usb image
(lin)sense.htb -> pfsense exploit -> root
(lin)codify.htb -> vm2 sandbox exploit -> hashcat -> ssh -> memory dump (pspy64s) - su root
(win)devel.htb -> rev shell via aspx -> win 7600 priv escalation -> edit exp to shell as root
(win)forest.htb -> enum4linux -> impacket-GetNPUsers -> evil-winrm -> bloodhound -> powerview.ps1 -> impacket-secretsdump -> impacket-psexec
(lin)nibbles.htb -> html sorce code -> nibbles exploit -> edit sh script
(lin)explore.htb -> android ES file exploit -> image with pass -> ssh -> port forwarding -> adb root
(lin)precious.htb -> ruby rev shell -> /home/ruby/.bundle -> rb scrip deserialization yaml
(lin)monitorthree.htb ->sqlmap sql injection dump pass hash -> cacti rce -> mysql hash -> su -> duplicati baypass -> root
(lin)photobomb.htb -> pass in js file -> sqli rev shell -> priv escalation /opt/.bashrc in bash script
(lin)sightless.htb ->sqlpad rce -> etc/shadows -> hashcat -> ssh -> suid sudo
(win)cicada.htb -> AD enum -> smb enum -> users from smb enum -> backup manager-> sam/system admin hash
(lin)Busqueda.htb -> flask sqli ->.git config pass -> ssh svc -> gitea -> sudo sh scrip -> in sh file path "./file" -> replace sh file
(lin)soccer -> tiny file manager -> revshell php -> now domain -> sqli -> sqlmap -> ssh -> dstat priv escalation
(lin)pandora -> snmpwalk -> ssh -> port forwarding -> pandora rce -> pandora backup priv escalation (escape the jail shell)
(lin)chemisty -> cif file rce -> db pass -> hashcat -> ssh -> port 8080 -> aiohttp exploit
lin)underpass -> snmpwallk -> daloradius server -> ssh -> mosh exp
(win)administrator -> AD atack
(lin)linkVortex - > vhost gobuser -> ./git githack.py -> ssh -> sudo -l -> sh scrip abuse
(lin)alert.htb ->xss with javascrip -> enumerate via xss -> hash .htpasswd -> ssh tunerlowanie -> www as root
Linux
UpDown
Intentions
Monitored
Networked
Help
Magic
Builder
WINDOWS:
Escape
Servmon
Support
StreamIO
Blackfield
Intelligence
Jeeves
Manager
Access
Aero
Mailing
AD:
Active
Forest
Sauna
Monteverde
Timelapse
Return
Cascade
Flight
Blackfield