Trick - HTB Writeup Difficulty: Easy Enumeration Starting off, I ran an nmap scan on all open ports at a rate of 10000. Moving on from there, I ran a service version scan, TCP scan, and operating system detection scan on the ports that I discoverd. nmap -p- --open --min-rate 10000 $IP # Nmap 7.94SVN scan initiated Mon May 6 14:32:07 2024 as: nmap -p- --open --min-rate 10000 -oN init.scan 10.

Usage - HTB Writeup IP = 10.10.11.18 Enumeration sudo nmap -p22,80 -sCV -A -Pn $IP [SNIP] ... PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA) |_ 256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Daily Blogs |_http-server-header: nginx/1.18.0 (Ubuntu) ... [SNIP] TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 37.18 ms 10.10.14.1 2 37.24 ms usage.

N00bzCTF 2023 This challenge present’s a relatively simply RSA challenge, I had seen this before in PicoCTF so I was able to solve it pretty quickly, however this was unfortunately the only challenge I had time for that weekend as I was busy. Also, I sadly did not write down the name of the challenge and don’t care enough to go find it so… Enjoy :) Source Code from Crypto.Util.number import * import time flag = bytes_to_long(b'n00bz{***********************}') e = 17 p = getPrime(1024) q = getPrime(1024) n = p*q ct = pow(flag,e,n) time.

Electronical (Crypto) - BuckEyeCTF23 Source Code: from Crypto.Cipher import AES from flask import Flask, request, abort, send_file import math import os app = Flask(__name__) key = os.urandom(32) flag = os.environ.get('FLAG', 'bctf{fake_flag_fake_flag_fake_flag_fake_flag}') cipher = AES.new(key, AES.MODE_ECB) def encrypt(message: str) -> bytes: length = math.ceil(len(message) / 16) * 16 padded = message.encode().ljust(length, b'\0') return cipher.encrypt(padded) @app.get('/encrypt') def handle_encrypt(): param = request.args.get('message') if not param: return abort(400, "Bad") if not isinstance(param, str): return abort(400, "Bad") return encrypt(param + flag).

Enumeration nmap -p- --min-rate 10000 --open 10.10.222.20 Ports open: 22, 25, 80, 443 Moving on to Service Version/TCP scan with vuilnerability detections scripts + OS detection: sudo nmap -p22,25,80,443 -sCVT -O 10.10.222.20 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-04 23:45 EDT Nmap scan report for 10.10.222.20 Host is up (0.33s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA) | 256 af:67:7d:24:e5:95:f4:44:72:d1:0c:39:8d:cc:21:15 (ECDSA) |_ 256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (ED25519) 25/tcp open smtp Postfix smtpd |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=ubuntu | Not valid before: 2020-03-23T23:42:04 |_Not valid after: 2030-03-21T23:42:04 |_smtp-commands: ubuntu.

OpenSource - HTB Writeup Difficulty: Medium Enumeration Starting off, I ran a full port scan to find open ports: nmap -p- --min-rate 10000 -Pn $IP -oG p-.scan ... $ cat p-.scan Host: 10.129.227.140 () Status: Up Host: 10.129.227.140 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// # Nmap done at Mon May 6 17:30:07 2024 -- 1 IP address (1 host up) scanned in 81.90 seconds Ports: 22, 80. Moving on to a TCP + service version scan with operating system detection:

Pilgrimage - HTB Writeup IP=10.10.11.219 Enumeration nmap export IP=10.10.11.219 nmap -p- --min-rate 10000 -Pn $IP PORT STATE SERVICE 22/tcp open ssh 80/tcp open http --- sudo nmap -p22,80 -sCVT -A -Pn $IP PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA) | 256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA) |_ 256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519) 80/tcp open http nginx 1.18.0 | http-git: | 10.10.11.219:80/.git/ | Git repository found!

Socket - HTB Writeup Difficulty: Medium IP=10.10.11.206 After the initial enumeration and finding open ports on 22, 80, 5789. We can try connecting to websockets running on port 5789 with wscat. Very quickly, we find a sqli vulnerability within the service. Which allows us the opportunity to get the admin password hash. Which is just simple MD5. After running this through crackstation.com, the password/username is: admin:denjanjade122566. SQLMAP through proxy We already explored the /version path and extracted credentials with it due to a SQLi vulnerability, we can try now the same vulnerability but with the /update path.