09-23-2024, 12:21 PM
Just want to perhaps start a discussion on the lab. If anyone wants to place any ideas or perhaps those have done it, some hints. Thank you!
|
Alchemy - HTB Lab
by kewlcat002 - Monday September 23, 2024 at 12:21 PM
|
|
09-23-2024, 12:21 PM
Just want to perhaps start a discussion on the lab. If anyone wants to place any ideas or perhaps those have done it, some hints. Thank you!
from my initial scan:
Nmap scan report for 10.10.110.1 Host is up (0.085s latency). Nmap scan report for 10.10.110.21 Host is up (0.089s latency). Nmap scan report for 10.10.110.100 Host is up (0.094s latency). more detailed scan: nmap -sC -sV -p- --min-rate=1000 -oN nmap_mass_scan 10.10.110.1
Nmap scan report for 10.10.110.1
Host is up (0.084s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.4 (protocol 2.0)
443/tcp open ssl/http nginx
|_http-title: pfSense - Login
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| h2
| http/1.1
| http/1.0
|_ http/0.9
| ssl-cert: Subject: commonName=pfSense-646b882d43d57/organizationName=pfSense webConfigurator Self-Signed Certificate
| Subject Alternative Name: DNS:pfSense-646b882d43d57
| Not valid before: 2023-05-22T15:20:13
|_Not valid after: 2024-06-23T15:20:13
nmap -sC -sV -p- --min-rate=1000 -oN nmap_mass_scan 10.10.110.21
Nmap scan report for 10.10.110.21
Host is up (0.083s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02b6ea1a7433807a8217bb9e4bf937d1 (RSA)
| 256 fa8084a2e43a2d1f8a9b236e018edabe (ECDSA)
|_ 256 a42fd94584880f230fa197ff43b1c323 (ED25519)
80/tcp open http Rocket
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions:
| HTTP/1.0 404 Not Found
| content-type: text/plain; charset=utf-8
...SNIP...
| HTTP/1.1 400 Bad Request
| content-length: 0
|_ date: Mon, 23 Sep 2024 17:26:17 GMT
|_http-title: Index - Sogard Brewing Co
|_http-server-header: Rocket
3000/tcp open ppp?
| fingerprint-strings:
...SNIP...
nmap -sC -sV -p- --min-rate=1000 -oN nmap_mass_scan 10.10.110.100
Warning: 10.10.110.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.110.100
Host is up (0.091s latency).
Not shown: 59212 closed tcp ports (conn-refused), 6321 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 9a8707c6bfb12a17ed3ef183a70682f8 (RSA)
| 256 b29ba6047521490d899d31f3e1f2280b (ECDSA)
|_ 256 7ffc433425548b3ea768f73fd83c4972 (ED25519)
1194/tcp open openvpn?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel@http://10.10.110.21:3000 there is Gogs instance with some users as well
09-24-2024, 12:16 PM
Lets keep the thread as a learning opportunity and not aimlessly spoil content, future reference.
09-26-2024, 07:36 PM
Did anyone manage initial access?
09-27-2024, 04:26 AM
09-28-2024, 02:14 AM
Here's where I'm at, and where I'm focusing on:
Web01: user Web02: root DC: Administrator SCADA: user FW: untouched WS01: untouched WS02: creds but no access I'm trying to get access to WS02 right now, and depending on what's inside, I'll focus on WS01 or PRINTER. If anyone has ideas for WS02 (SMB creds, but psexec, smbexec, and NXC don't work/ nothing interesting in the DEVELOPMENT share) please let me know. Feel free to ping me if you need a nudge.
09-28-2024, 11:26 PM
(09-28-2024, 02:14 AM)0rch1d Wrote: I'm trying to get access to WS02 right now, and depending on what's inside, I'll focus on WS01 or PRINTER. If anyone has ideas for WS02 (SMB creds, but psexec, smbexec, and NXC don't work/ nothing interesting in the DEVELOPMENT share) please let me know. I'm Admin on WS02 now. Focusing on WS01 and PRINTER atm.
09-29-2024, 09:15 AM
(09-28-2024, 02:14 AM)0rch1d Wrote: Here's where I'm at, and where I'm focusing on:what was the attack path? how did you compromised these machines? any hints?
09-30-2024, 04:36 AM
(09-29-2024, 09:15 AM)Goku_black Wrote: what was the attack path? how did you compromised these machines? any hints? Web01:
I'll put updates here when I get access to WS01, FW, EW, and Printer.
09-30-2024, 06:43 AM
Scada:
WS01:
Just trying to pry open EW, FW, and Printer now before accessing the PLCs. |
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired | 360 | 90,609 |
03-28-2026, 09:28 AM Last Post: |
||
| [FREE] HTB-ProLabs APTLABS Just Flags | 23 | 4,147 |
03-28-2026, 03:30 AM Last Post: |
||
| [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot | 87 | 9,297 |
03-27-2026, 07:22 PM Last Post: |
||
| HTB Eloquia User and Root Flags - Insane Box | 13 | 2,134 |
03-27-2026, 06:14 PM Last Post: |
||
| HTB - ALL Challenges you Stuck in | 2 | 2,434 |
03-27-2026, 04:24 PM Last Post: |
||