Welcome

User Flag As usually I started my enumeration with some nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out 10.129.23.9 sudo nmap -p22,5000 -sC -sV -vv -oN nmap_scripts.out 10.129.23.94 We see two ports open: 22, 5000. Using the browser to make an http request to port 5000, we get what it seems to be a python interpreter. We are allowed to run some code, but there are a lot of restricted keywords....

Another certification completed, this time is the Deep Learning Specialization from DeepLearning.AI, taught by Andrew Ng on Coursera. This five-course program covered the core areas of deep learning, from foundational concepts to advanced architectures. I started by learning how to build and train basic neural networks, then moved on to techniques for improving model performance, including hyperparameter tuning, regularization, and optimization methods. The specialization also included best practices for structuring machine learning projects and debugging common issues....

User Flag We start the machine by doing some nmap scans: There seems to only be a RDP port open, since we have nothing else to go by, let’s try some default credentials: xfreerdp /v:10.129.157.255 /dynamic-resolution -sec-nla The server is running in kiosk mode, with the user KioskUser0, without a password: We can enter “windows key” to open the start menu: We can open the edge browser: And access the file system through it:...

User Flag Started by doing some nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out haze.htb sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out haze.htb In port 8000 we find a splunk service: And in port 8089 we can find the version of splunk: It appears that this version has a critical vulnerability: https://www.sonicwall.com/blog/critical-splunk-vulnerability-cve-2024-36991-patch-now-to-prevent-arbitrary-file-reads Let’s try to exploit it: https://github.com/bigb0x/CVE-2024-36991 python CVE-2024-36991.py -u http://haze.htb:8000 We are unable to crack the hashes, but we find 3 potencial users: edward,mark and paul....

User Flag Nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out hospital.htb sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out hospital.htb Navigating to port 8080: After registering an account, we have access to a file upload feature: Since this is a PHP web application, let’s try uploading a PHP web shell: echo '<?php system($_REQUEST["cmd"]); ?>' > ./shell.php We can intercept the request: And notice that is redirecting to /failed.php: Trying some common php extensions leads us to a /success....

I’ve just completed the Machine Learning Specialization on Coursera. This program is taught by Andrew Ng and jointly offered by DeepLearning.AI and Stanford Online. The specialization is structured as a three-course sequence, each designed to build a strong foundation and progressively expand your understanding of machine learning. The first course, Supervised Machine Learning: Regression and Classification, dives into the core ideas behind predictive modeling. I learned how to implement linear and logistic regression, understand loss functions, optimize models using gradient descent, and build simple neural networks....

User flag Started by doing some nmap scans: The only interesting port seems to be port 80, so lets enumerate it. Found a statistics vhost but returning a 401 unauthorized http code: Still, gonna add it to the /etc/hosts file. Going to this subdomain, we are asked for credentials: The login form is simply sending the username and password, base64 encoded, in the authorization header: I also did a dir scan on the page, but only got the expected results, except for a messages page:...

User Flag Started by doing some nmap scans: I tried to do some enumeration with vhost and dirs, but didn’t find anything interesting so lets look at the website: Very simple page. When we login we see that we can upload a cif file and the view it: I tried changing the file on request and doing some injections, but couldn’t get anything to work. But, searching for an exploit for cif files found something interesting:...

User Flag We start by doing the usual nmap scans: For now, in the nmap scan we can notice some interesting things: there is a ghost 5.58 and a /ghost dir. Let’s move on. Two ports open: ssh and http. Starting with port 80 we do our typical vhost and dir scans on it. There is a dev vhost, so let’s add it to the /etc/hosts file, and do a dir scan on it: We collected a lot of useful information with theses scans....

User Flag I started by doing some nmaps scans: I did some dir and dns enumeration on port 80, but couldn’t find anything, so let’s check the website: On the website, I found nothing of interest except a download link for an apk file, so let’s download it and extract the code. To do this I used a visual code extension: Looking for config files in the extracted code I found: This means that there are two other vhosts for the application so let’s add them to the /etc/hosts file....