Shoppy was a easy linux machine, which was vulnerable to NOSQL injection. Exploiting NOSQL injection, we  got password hash of all users. After cracking the hash of one user, the Mattermost serve...

Photobomb was a easy rated linux box, where plaintext credentials was discovered after viewing the source code. These credentials then lead to a webpage with download  functionality that was vuln...

Querier was a medium box that involved retrieving MSSQL database credentials after analyzing macro-enabled Excel workbook. These credentials were then used to establish a connection to the MSSQL ...

Heist was an easy box that involved some password cracking and dumping Firefox’s processes.At first, we found a Cisco configuration file on the website that contained usernames and password hashe...

RECON NMAP Nmap shows multiple ports open. Since ldap, kerberos, DNS and SMB ports are open it’s probably a Domain Controller. Nmap script shows that the domain name is timelapse.htb $nmap -Pn...

Return was an easy box that involved exploiting a printer’s web administration panel to obtain LDAP credentials. These credentials can then be used to access WinRM. The account obtained through t...

RECON NMAP Starting with nmap, nmap shows a bunch of open ports and the target is Active Directory Domain Controller running on Windows Server 2008 R2 SP1. $sudo nmap -sT -p- -oA alltcp 10.10...

RECON NMAP Starting with nmap, it only shows one port 8080 (Apache Tomcat) open. $sudo nmap -sC -sV -p- --min-rate 10000 -Pn -oN jerry-all-tcp.nmap 10.10.10.95 Nmap scan report for 10.10.10.9...

RECON NMAP Strating with nmap it shows two ports open 80 httpd and 21 ftp # nmap -sC -sV 10.10.10.5 -oN devel.htb Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-11 21:31 +0545 RTTVAR has ...