Adventures in tech documented
This is one of the retired boxes on HTB, lets spawn an instance and dive in.
First add the IP to the host file.
nano /etc/hosts
So I started with a basic nmap scan, but pinging the machine appears to be blocked.
Lets add the -Pn and force it to go again.
nmap -sC -sV -v -Pn nodeblog.htbSo this is one of the easy rated boxes from HTB, lets dive in and add the IP to the /etc/hosts file:
sudo nano /etc/hosts
Now a good nmap scan for a start:
nmap -sC -sV -sT -p- -v antiquehtb
sudo nmap -sC -sV -sT -sU -v antique.htbThis will take a looooooong time, so we’ll come back to it later.
The nmap shows us some interesting things, the name “HP Jetdirect” comes up alot, the telnet port is also pretty interesting.
That would mean we have a printer, but theres no IPP port open.
Lets check searchsploit for JetDirect:
A few good finds, but I like the look of SNMP password disclosure, SNMP is usually pretty open. Lets search on exploit-db.
Okay lets have a play.
First lets do a walk while nmap is still being slow.
snmpwalk -v 2c -c public antique.htb
Well that was disappointing, but it is listening
Can we run the exploit?
Ergh that would be a no.
I did try and find out how to install snmputil, but it didn’t show on apt, and nor did net-snmp or net-snmp-util.
Maybe we can help along the snmpwalk command..
Okay that’s better.
I think that’s Hex coded, lets take a look:
Although this is not the nicest of shells..
Actually hang on lets read that again, we can use the “exec command” to send system commands.
So what does id give us?
exec id
Okay that’s better, any cheeky flag for us?
Yes that is a cheeky flag!
so we can use the cat command and id, can we use python?
I think that is a kind of?
python3?
So this hung on me, but we must have it something.
Lets try some more examples.
This page contains a script to fix a number of issues in the current version, and also to deploy some additional tools into a new instance in an automated fashion.
apt-get update
apt-get upgrade -y
#Fix issue in the the Harveter
pip3 install aiohttp --upgrade
#getpspy scripts
mkdir ~/pspy
cd ~/pspy
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
I am a big fan of VM’s, but not such a fan of the tools used to connect to them in most instances.
Hyper-V, vSphere remote console, VMWare player, they all feel clunky, have inconsistent features and lack some of the basics I really enjoy from modern RDP.
Kali does not have this out of the box, so lets see if we can enable it.
Take a fresh kali install, and lets open a terminal:
apt-get update
apt-get install xrdp
systemctl start xrdp
systemctl start xrdp-sesman
systemctl enable xrdp
systemctl enable xrdp-sesmanNow there are a few configuration items we need to make.
Only one “X” session is allowed by default, which means if you will get a black screen after trying to connect if you are also on the machine locally.
It can also be a problem if your session gets disconnected, as there are times when re-connecting to the existing session will fail.
Lets make an edit to the /etc/xrdp/startwm.sh file.
Add these lines before the “test -x /etc/x11/xession && exec ” line:
unset DBUS_SESSION_BUS_ADDRESS
unset XDG_RUNTIME_DIR
. $HOME/.profileat this point, I like to reboot the machine to emulate a fresh session and see what we get:
Beautiful!
Now we have a full RDP session, with copy and paste and a 4k resolution!