Inject
Hello Everyone, today I will be talking about how to hack in to the web application Inject from HacktheBox.
Lets start by running nmap on the website so see what ports are open.
4 minutes to read
Waiting
Hello Everyone, today I will be talking about how to hack the mobile app Waiting from hackthebox.
Let’s start by installing the app on the android-x86 VM.
4 minutes to read
Ambassador.htb
Web Enumeration
The first thing I did on this machine was to some preliminary port scans to see services were available and what I should focus on first.
Nmap
Nmap: Nmap nmap -sV -sC -Pn 10.10.11.138
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
3000/tcp open ppp?
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Rustscan
Rustscan: Rustscan rustscan -a 10.10.11.138
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
3306/tcp open mysql syn-ack
Exploitation
Grafana
With the results from these two scans I decided to begin by looking at the main website hosted on port 80. After looking the website over thoroughly I discovered nothing except that the website was generated by Hugo 0.94.2 static site generator.
5 minutes to read
Soccer.htb
Recon
- Web Browser
- Website hosted by Nginx 1.18.0
- Host name
- http://soccer.htb
sudo echo "10.10.11.194 soccer.htb" >> /etc/hosts
- Rustscan
rustscan -a 10.10.11.194
Open 10.10.11.194:22
Open 10.10.11.194:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org
) at 2022-12-22 14:16 EST
Initiating Ping Scan at 14:16
Scanning 10.10.11.194 [2 ports]
Completed Ping Scan at 14:16, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:16
Completed Parallel DNS resolution of 1 host. at 14:16, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 14:16
Scanning 10.10.11.194 [2 ports]
Discovered open port 80/tcp on 10.10.11.194
Discovered open port 22/tcp on 10.10.11.194
Completed Connect Scan at 14:16, 0.05s elapsed (2 total ports)
Nmap scan report for 10.10.11.194
Host is up, received syn-ack (0.047s latency).
Scanned at 2022-12-22 14:16:01 EST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
- Nmap
Nmap -sV -sC 10.10.11.194
Nmap scan report for 10.10.11.194
Host is up (0.046s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
1723/tcp filtered pptp
9091/tcp open xmltec-xmlmail?
…content omitted…
Service detection performed. Please report any incorrect results at https://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 111.77 seconds
- Directory Brute force
gobuster dir -u http://soccer.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x html,js -t 50
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://soccer.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: js,html
[+] Timeout: 10s
===============================================================
2022/12/22 14:49:50 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 162]
/index.html (Status: 200) [Size: 6917]
/tiny (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
/.html (Status: 403) [Size: 162]
Progress: 622881 / 622932 (99.99%)===============================================================
2022/12/22 15:23:34 Finished
===============================================================
- VHOSTS
gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u soccer.htb
none
- Summary
- PPTP 1723/tcp VPN used for remote access
- /tiny File upload web page
- Unknown 9091/tcp
Web Exploit
The first thing I did was browse to the main website http://soccor.htb/
. After looking around I found nothing of interests so I browsed to http://soccor.htb/tiny
which was one of the urls that I found during the directory bruteforce scan. This particular URL had a login for Tiny File Manager. After some looking around on the internet I found the default credentials on the Tiny File Manager github page
.
6 minutes to read
Metatwo.htb
Quick Look
- Rustscan
Open 10.10.11.180:21
Open 10.10.11.180:22
Open 10.10.11.180:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org
) at 2022-11-21 14:53 EST
Initiating Ping Scan at 14:53
Scanning 10.10.11.180 [2 ports]
Completed Ping Scan at 14:53, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 14:53
Scanning shoppy.htb (10.10.11.180) [2 ports]
Discovered open port 22/tcp on 10.10.11.180
Discovered open port 80/tcp on 10.10.11.180
Completed Connect Scan at 14:53, 0.05s elapsed (2 total ports)
Nmap scan report for shoppy.htb (10.10.11.180)
Host is up, received syn-ack (0.046s latency).
Scanned at 2022-11-21 14:53:37 EST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
- Web Browser
- Looks like a WordPress website running WordPress 5.2.6
- Handful of pages
- Host name
- http://metapress.htb
sudo echo "10.10.11.180 metapress.htb" >> /etc/hosts
- Directory Brute force
about [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 496ms]
login [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 455ms]
events [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 449ms]
0 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 400ms]
feed [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 443ms]
atom [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 407ms]
s [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 442ms]
a [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 421ms]
wp-content [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 67ms]
c [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 448ms]
admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 417ms]
t [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 416ms]
e [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 956ms]
h [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1557ms]
rss2 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1523ms]
About [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1577ms]
ca [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1119ms]
event [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1112ms]
wp-includes [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 50ms]
C [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1350ms]
A [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1178ms]
S [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1846ms]
E [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1520ms]
about-us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1520ms]
Events [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1571ms]
T [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1212ms]
H [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1403ms]
sa [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 2129ms]
rdf [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1609ms]
page1 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1200ms]
sample [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1464ms]
' [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1331ms]
th [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1685ms]
CA [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 855ms]
dashboard [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1413ms]
he [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1498ms]
ab [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1936ms]
%20 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1347ms]
sam [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1422ms]
hello [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1391ms]
ev [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1424ms]
wp-admin [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 49ms]
cancel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1326ms]
eve [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 2005ms]
can [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1467ms]
0000 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1780ms]
2022 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1178ms]
Event [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1273ms]
About-Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1328ms]
hello-world [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1529ms]
embed [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1373ms]
abo [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1804ms]
hell [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1260ms]
SA [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1665ms]
AB [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1384ms]
Hello [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1747ms]
Oasis - 'Definitely Maybe' [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1447ms]
TH [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1319ms]
EVENTS [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1660ms]
Cancel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1736ms]
Sample [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1457ms]
[Status: 200, Size: 10342, Words: 423, Lines: 156, Duration: 1541ms]
! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1495ms]
ABOUT [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1827ms]
hel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1610ms]
Bling! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1308ms]
EV [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1275ms]
Check Screenshots! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1234ms]
Check All Tracker Features! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1236ms]
About Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1501ms]
CAN [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1165ms]
yahoo! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1179ms]
About%20Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1424ms]
SAM [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1779ms]
Welcome! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1892ms]
:: Progress: [87664/87664] :: Job [1/1] :: 23 req/sec :: Duration: [0:54:16] :: Errors: 0 ::
Next Step
- scan for users
wpscan --url http://metapress.htb/ --enumerate u
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:02 <================================================================================> (10 / 10) 100.00% Time: 00:00:02
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://metapress.htb/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Sitemap (Aggressive Detection)
| - http://metapress.htb/wp-sitemap-users-1.xml
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] manager
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
With these scans I discovered that their appears to be no plugins and one theme Twenty Twenty-One. Their also appeared to be 2 users admin and manager both of which I ran multiple workforce attempts against using the following commands.
11 minutes to read
Precious.htb
Recon
-
Host name
- http://precious.htb
sudo echo "10.10.11.189 precious.htb" >> /etc/hosts
-
Rustscan
rustscan -a 10.10.11.189
Open 10.10.11.189:22
Open 10.10.11.189:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org
) at 2022-12-17 13:48 EST
Initiating Ping Scan at 13:48
Scanning 10.10.11.189 [2 ports]
Completed Ping Scan at 13:48, 0.53s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:48
Completed Parallel DNS resolution of 1 host. at 13:48, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 13:48
Scanning 10.10.11.189 [2 ports]
Discovered open port 22/tcp on 10.10.11.189
Discovered open port 80/tcp on 10.10.11.189
Completed Connect Scan at 13:48, 0.33s elapsed (2 total ports)
Nmap scan report for 10.10.11.189
Host is up, received syn-ack (0.48s latency).
Scanned at 2022-12-17 13:48:42 EST for 1s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
- Directory Brute force
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://precious.htb/FUZZ
none
- VHOSTS
gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u precious.htb
none
Next Step
Since I did not find any subdomains or other web pages on the web server I decide to look at the main page to see if I could find a vulnerability. I began by spinning up a PHP web server using the php -S 0.0.0.0:80 command. I then create a simple HTML page that had some text and converted it to a PDF using the online PDF converter on http://precious.htb
. Once I had a PDF that the web server made I used the exiftool ngveoebbpujxmgb2pxfbmu5p3cr7ddg3.pdf command to see what generated the PDF document.
4 minutes to read