Inject
Hello Everyone, today I will be talking about how to hack in to the web application Inject from HacktheBox.
Lets start by running nmap on the website so see what ports are open.
Hello Everyone, today I will be talking about how to hack in to the web application Inject from HacktheBox.
Lets start by running nmap on the website so see what ports are open.
The first thing I did on this machine was to some preliminary port scans to see services were available and what I should focus on first.
Nmap: Nmap nmap -sV -sC -Pn 10.10.11.138
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
3000/tcp open ppp?
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Rustscan: Rustscan rustscan -a 10.10.11.138
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
3306/tcp open mysql syn-ack
With the results from these two scans I decided to begin by looking at the main website hosted on port 80. After looking the website over thoroughly I discovered nothing except that the website was generated by Hugo 0.94.2 static site generator.
sudo echo "10.10.11.194 soccer.htb" >> /etc/hosts
rustscan -a 10.10.11.194
Open 10.10.11.194:22
Open 10.10.11.194:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org
) at 2022-12-22 14:16 EST
Initiating Ping Scan at 14:16
Scanning 10.10.11.194 [2 ports]
Completed Ping Scan at 14:16, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:16
Completed Parallel DNS resolution of 1 host. at 14:16, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 14:16
Scanning 10.10.11.194 [2 ports]
Discovered open port 80/tcp on 10.10.11.194
Discovered open port 22/tcp on 10.10.11.194
Completed Connect Scan at 14:16, 0.05s elapsed (2 total ports)
Nmap scan report for 10.10.11.194
Host is up, received syn-ack (0.047s latency).
Scanned at 2022-12-22 14:16:01 EST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Nmap -sV -sC 10.10.11.194
Nmap scan report for 10.10.11.194
Host is up (0.046s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
1723/tcp filtered pptp
9091/tcp open xmltec-xmlmail?
…content omitted…
Service detection performed. Please report any incorrect results at https://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 111.77 seconds
gobuster dir -u http://soccer.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x html,js -t 50
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://soccer.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: js,html
[+] Timeout: 10s
===============================================================
2022/12/22 14:49:50 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 162]
/index.html (Status: 200) [Size: 6917]
/tiny (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
/.html (Status: 403) [Size: 162]
Progress: 622881 / 622932 (99.99%)===============================================================
2022/12/22 15:23:34 Finished
===============================================================
gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u soccer.htb
none
The first thing I did was browse to the main website http://soccor.htb/
. After looking around I found nothing of interests so I browsed to http://soccor.htb/tiny
which was one of the urls that I found during the directory bruteforce scan. This particular URL had a login for Tiny File Manager
. After some looking around on the internet I found the default credentials on the Tiny File Manager
github page
.
Open 10.10.11.180:21
Open 10.10.11.180:22
Open 10.10.11.180:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org
) at 2022-11-21 14:53 EST
Initiating Ping Scan at 14:53
Scanning 10.10.11.180 [2 ports]
Completed Ping Scan at 14:53, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 14:53
Scanning shoppy.htb (10.10.11.180) [2 ports]
Discovered open port 22/tcp on 10.10.11.180
Discovered open port 80/tcp on 10.10.11.180
Completed Connect Scan at 14:53, 0.05s elapsed (2 total ports)
Nmap scan report for shoppy.htb (10.10.11.180)
Host is up, received syn-ack (0.046s latency).
Scanned at 2022-11-21 14:53:37 EST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
sudo echo "10.10.11.180 metapress.htb" >> /etc/hosts
about [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 496ms]
login [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 455ms]
events [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 449ms]
0 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 400ms]
feed [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 443ms]
atom [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 407ms]
s [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 442ms]
a [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 421ms]
wp-content [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 67ms]
c [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 448ms]
admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 417ms]
t [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 416ms]
e [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 956ms]
h [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1557ms]
rss2 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1523ms]
About [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1577ms]
ca [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1119ms]
event [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1112ms]
wp-includes [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 50ms]
C [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1350ms]
A [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1178ms]
S [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1846ms]
E [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1520ms]
about-us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1520ms]
Events [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1571ms]
T [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1212ms]
H [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1403ms]
sa [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 2129ms]
rdf [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1609ms]
page1 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1200ms]
sample [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1464ms]
' [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1331ms]
th [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1685ms]
CA [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 855ms]
dashboard [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1413ms]
he [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1498ms]
ab [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1936ms]
%20 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1347ms]
sam [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1422ms]
hello [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1391ms]
ev [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1424ms]
wp-admin [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 49ms]
cancel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1326ms]
eve [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 2005ms]
can [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1467ms]
0000 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1780ms]
2022 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1178ms]
Event [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1273ms]
About-Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1328ms]
hello-world [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1529ms]
embed [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1373ms]
abo [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1804ms]
hell [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1260ms]
SA [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1665ms]
AB [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1384ms]
Hello [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1747ms]
Oasis - 'Definitely Maybe' [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1447ms]
TH [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1319ms]
EVENTS [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1660ms]
Cancel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1736ms]
Sample [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1457ms]
[Status: 200, Size: 10342, Words: 423, Lines: 156, Duration: 1541ms]
! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1495ms]
ABOUT [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1827ms]
hel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1610ms]
Bling! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1308ms]
EV [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1275ms]
Check Screenshots! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1234ms]
Check All Tracker Features! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1236ms]
About Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1501ms]
CAN [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1165ms]
yahoo! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1179ms]
About%20Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1424ms]
SAM [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1779ms]
Welcome! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1892ms]
:: Progress: [87664/87664] :: Job [1/1] :: 23 req/sec :: Duration: [0:54:16] :: Errors: 0 ::
wpscan --url http://metapress.htb/ --enumerate u
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:02 <================================================================================> (10 / 10) 100.00% Time: 00:00:02
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://metapress.htb/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Sitemap (Aggressive Detection)
| - http://metapress.htb/wp-sitemap-users-1.xml
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] manager
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
With these scans I discovered that their appears to be no plugins and one theme Twenty Twenty-One
. Their also appeared to be 2 users admin and manager both of which I ran multiple workforce attempts against using the following commands.
Host name
sudo echo "10.10.11.189 precious.htb" >> /etc/hosts
Rustscan rustscan -a 10.10.11.189
Open 10.10.11.189:22
Open 10.10.11.189:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org
) at 2022-12-17 13:48 EST
Initiating Ping Scan at 13:48
Scanning 10.10.11.189 [2 ports]
Completed Ping Scan at 13:48, 0.53s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:48
Completed Parallel DNS resolution of 1 host. at 13:48, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 13:48
Scanning 10.10.11.189 [2 ports]
Discovered open port 22/tcp on 10.10.11.189
Discovered open port 80/tcp on 10.10.11.189
Completed Connect Scan at 13:48, 0.33s elapsed (2 total ports)
Nmap scan report for 10.10.11.189
Host is up, received syn-ack (0.48s latency).
Scanned at 2022-12-17 13:48:42 EST for 1s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://precious.htb/FUZZ
none
gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u precious.htb
none
Since I did not find any subdomains or other web pages on the web server I decide to look at the main page to see if I could find a vulnerability. I began by spinning up a PHP web server using the php -S 0.0.0.0:80
command. I then create a simple HTML page that had some text and converted it to a PDF using the online PDF converter on http://precious.htb
. Once I had a PDF that the web server made I used the exiftool ngveoebbpujxmgb2pxfbmu5p3cr7ddg3.pdf
command to see what generated the PDF document.