User flag Runner.htb My initial reconnaissance scan revealed two web server and a ssh server. After endless searching, I stumbled upon an HTTP header that stated that this site was powered by TeamCity, which is a virtual host on the server too. This took quite a while for me. http://teamcity.runner.htb/login.html is vulnerable to CVE-2023-42793, which allows any user to create an admin account. 1 python CVE-2023-42793.py -u http://teamcity.runner.htb That was easy....
User flag Intuition.htb My initial reconnaissance scan revealed some interesting virtual hosts on the web server. The most promising virtual host was report.comprezzor.htb, featuring a form for error reporting to the development team. Initially, it appeared ripe for XSS exploitation, which indeed turned out to be the correct approach. After waiting for some time, I received a request on my HTTP server with a JWT cookie. Adding that cookie to my jar and then opening the http://dashboard....
User flag The only interesting thing is running on port 8080: http://10.129.175.20:8080/. OpenPLC which uses default credentials openplc:openplc. To exploit this thing, navigate to the Hardware tab and append the following C code to the Hardware Layer Code Box: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 #include <stdio.h> #include <sys/socket.h> #include <sys/types....