[email protected]
Search…
[email protected]
About Calvin Lai (fkclai)
My Work
Exploit/CVE PoC
ZeroLogon Exploit
Remote Retrieved Chrome saved Encrypted Password
Twitter Control an RCE attack
Hacking Report (HTB)
Hits & Summary
Windows Machine
Linux Machine
BountyHunter 10.10.11.100
CAP 10.10.10.245
Spectra 10.10.10.229
Ready 10.10.10.220
Doctor 10.10.10.209
Bucket 10.10.10.212
Blunder 10.10.10.191
Registry 10.10.10.159
Magic
Tabby
PenTest & Exploitation Guide
01 Reconnaissance
02 Port Enumeration
03 Web Enumeration
04 Windows Enum & Exploit
05 File Enumeration
06 Reverse Shell Cheat Sheet
07 SQL Injection
08 BruteForce
09 XSS Bypass Checklist
10 Spring Boot
11 WPA
12 Payload list
Vuln Hub (Writeup)
MrRobot
CYBERRY
MATRIX 1
Node-1
DPwwn-1
DC7
AiWeb-2
AiWeb-1
BrainPan
CTF (Writeup)
Hacker One
CTF Learn
P.W.N. University - CTF 2018
HITCON
Pwnable
Useful Command/Tools
Windows
Linux
Offensive Security Lab & Exam
Lab
Powered By GitBook
Registry 10.10.10.159
Look up at the stars and not down at your feet <Stephen Hawking>
Owned on

Background

​R​egistery is an Hard difficulty Windows machine from HacktheBox, it requires the SMB enumeration technique and source code review, for training your ethical hacking skills and penetration testing skills.
​
​
Target Machine: 10.10.10.159
Attacking (Hacker) machine: 10.10.14.9

Penetrating Methodology

Service Scanning

  • Nmap

Enumeration

  • Enum4linux
  • dnSpy

Exploitation

  • msfvenom

Walkthrough:

Target machine: 10.10.10.178
Attacking (Hacker) machine: 10.10.14.9

Hacking Process Part 0 – Service Scanning

The target machine IP is10.10.10.178. Get a basic understanding of the available services of the target machine using nmap aggressive scanning to all available ports.
Quick searching
nmap -sV -A -oN nmap-htb-registry-detail.txt registry.htb
Enumeration strategies
  1. 1.
    Web Application Vulnerability
  2. 2.
    Web Enumeration docker.registry.htb
  3. 3.
    SSH Enumeration

Hacking Process Part 1 – Enumeration

1.1) SMB Enumeration

SMBMAP

nmap --script smb-enum-shares -p 445

enum4linux
smbclient
smbclient -N //nest.htb/Users
\IT\Configs\Adobe\editing.xml
\IT\Configs\Adobe\Options.txt
\IT\Configs\Adobe\projects.xml
\IT\Configs\Adobe\settings.xml
\IT\Configs\Atlas\Temp.XML
\IT\Configs\Microsoft\Options.xml
\IT\Configs\NotepadPlusPlus\config.xml
\IT\Configs\NotepadPlusPlus\shortcuts.xml
\IT\Configs\RU Scanner\RU_config.xml
\Shared\Maintenance\Maintenance Alerts.txt
\Shared\Templates\HR\Welcome Email.txt
\IT\Configs\NotepadPlusPlus\config.xml
c.smith
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
mount -t cifs //10.10.10.178/Secure$ /root/Documents/ctf/htb/windows/10_nest/hostfile/Secure -o user=TempUser,password=welcome2019
According to the config.xml there is af directory
c.smith
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
xRxRxPANCAK3SxRxRx
smbclient \\\\nest.htb\\Data -U c.smith
WBQ201953D8w
Adminstrator
"XtH4nkS4Pl4y1nGX"

Hacking Process Part 2 – Exploitation

2.1) Brute force attack

Hacking Process Part 3 – Getting Low Privilege Access

Hacking Process Part 4 – Privilege Escalation

4.1) Directory Enumeration

Conclusion...

Reference Link

Previous
Blunder 10.10.10.191
Next
Magic
Last modified 1yr ago
Copy link
Contents
Background
Penetrating Methodology
Service Scanning
Enumeration
Exploitation
Walkthrough:
Hacking Process Part 0 – Service Scanning
Hacking Process Part 1 – Enumeration
1.1) SMB Enumeration
Hacking Process Part 2 – Exploitation
2.1) Brute force attack
Hacking Process Part 3 – Getting Low Privilege Access
Hacking Process Part 4 – Privilege Escalation
4.1) Directory Enumeration
Conclusion...
Reference Link