Inject

Hello Everyone, today I will be talking about how to hack in to the web application Inject from HacktheBox.

Lets start by running nmap on the website so see what ports are open.

After looking at the output we can see that ssh on port 22 and a web server on port 8080 are both open. Lets open the web browser and see what we can find on the website. At the top of the page is a row of links that lead to different parts of the website.

4 minutes to read

Ambassador.htb

Web Enumeration

The first thing I did on this machine was to some preliminary port scans to see services were available and what I should focus on first.

Nmap

Nmap: Nmap nmap -sV -sC -Pn 10.10.11.138

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
3000/tcp open  ppp?
3306/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2

Rustscan

Rustscan: Rustscan rustscan -a 10.10.11.138

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
3306/tcp open  mysql   syn-ack

Exploitation

Grafana

With the results from these two scans I decided to begin by looking at the main website hosted on port 80. After looking the website over thoroughly I discovered nothing except that the website was generated by Hugo 0.94.2 static site generator.

5 minutes to read

Soccer.htb

Recon

  • Web Browser
    • Website hosted by Nginx 1.18.0
  • Host name
  • Rustscan rustscan -a 10.10.11.194
Open 10.10.11.194:22
Open 10.10.11.194:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-22 14:16 EST Initiating Ping Scan at 14:16 Scanning 10.10.11.194 [2 ports] Completed Ping Scan at 14:16, 0.05s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:16 Completed Parallel DNS resolution of 1 host. at 14:16, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 14:16 Scanning 10.10.11.194 [2 ports] Discovered open port 80/tcp on 10.10.11.194 Discovered open port 22/tcp on 10.10.11.194 Completed Connect Scan at 14:16, 0.05s elapsed (2 total ports) Nmap scan report for 10.10.11.194 Host is up, received syn-ack (0.047s latency). Scanned at 2022-12-22 14:16:01 EST for 0s

PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack

Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

  • Nmap Nmap -sV -sC 10.10.11.194
Nmap scan report for 10.10.11.194
Host is up (0.046s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE         VERSION
22/tcp   open     ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
|   256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_  256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp   open     http            nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
1723/tcp filtered pptp
9091/tcp open     xmltec-xmlmail?

…content omitted…

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 111.77 seconds

  • Directory Brute force gobuster dir -u http://soccer.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x html,js -t 50
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://soccer.htb
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              js,html
[+] Timeout:                 10s
===============================================================
2022/12/22 14:49:50 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 162]
/index.html           (Status: 200) [Size: 6917]
/tiny                 (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
/.html                (Status: 403) [Size: 162]
Progress: 622881 / 622932 (99.99%)===============================================================
2022/12/22 15:23:34 Finished
===============================================================
  • VHOSTS gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u soccer.htb
none
  • Summary
    • PPTP 1723/tcp VPN used for remote access
    • /tiny File upload web page
    • Unknown 9091/tcp

Web Exploit

The first thing I did was browse to the main website http://soccor.htb/ . After looking around I found nothing of interests so I browsed to http://soccor.htb/tiny which was one of the urls that I found during the directory bruteforce scan. This particular URL had a login for Tiny File Manager. After some looking around on the internet I found the default credentials on the Tiny File Manager github page .

6 minutes to read

Metatwo.htb

Quick Look

  • Rustscan
Open 10.10.11.180:21
Open 10.10.11.180:22
Open 10.10.11.180:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-21 14:53 EST Initiating Ping Scan at 14:53 Scanning 10.10.11.180 [2 ports] Completed Ping Scan at 14:53, 0.04s elapsed (1 total hosts) Initiating Connect Scan at 14:53 Scanning shoppy.htb (10.10.11.180) [2 ports] Discovered open port 22/tcp on 10.10.11.180 Discovered open port 80/tcp on 10.10.11.180 Completed Connect Scan at 14:53, 0.05s elapsed (2 total ports) Nmap scan report for shoppy.htb (10.10.11.180) Host is up, received syn-ack (0.046s latency). Scanned at 2022-11-21 14:53:37 EST for 0s

PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack

Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

  • Web Browser
    • Looks like a WordPress website running WordPress 5.2.6
    • Handful of pages
  • Host name
  • Directory Brute force
about                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 496ms]
login                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 455ms]
events                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 449ms]
0                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 400ms]
feed                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 443ms]
atom                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 407ms]
s                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 442ms]
a                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 421ms]
wp-content              [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 67ms]
c                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 448ms]
admin                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 417ms]
t                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 416ms]
e                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 956ms]
h                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1557ms]
rss2                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1523ms]
About                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1577ms]
ca                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1119ms]
event                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1112ms]
wp-includes             [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 50ms]
C                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1350ms]
A                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1178ms]
S                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1846ms]
E                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1520ms]
about-us                [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1520ms]
Events                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1571ms]
T                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1212ms]
H                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1403ms]
sa                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 2129ms]
rdf                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1609ms]
page1                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1200ms]
sample                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1464ms]
'                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1331ms]
th                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1685ms]
CA                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 855ms]
dashboard               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1413ms]
he                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1498ms]
ab                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1936ms]
%20                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1347ms]
sam                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1422ms]
hello                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1391ms]
ev                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1424ms]
wp-admin                [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 49ms]
cancel                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1326ms]
eve                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 2005ms]
can                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1467ms]
0000                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1780ms]
2022                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1178ms]
Event                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1273ms]
About-Us                [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1328ms]
hello-world             [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1529ms]
embed                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1373ms]
abo                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1804ms]
hell                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1260ms]
SA                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1665ms]
AB                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1384ms]
Hello                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1747ms]
Oasis - 'Definitely Maybe' [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1447ms]
TH                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1319ms]
EVENTS                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1660ms]
Cancel                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1736ms]
Sample                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1457ms]
                        [Status: 200, Size: 10342, Words: 423, Lines: 156, Duration: 1541ms]
!                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1495ms]
ABOUT                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1827ms]
hel                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1610ms]
Bling!                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1308ms]
EV                      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1275ms]
Check Screenshots!      [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1234ms]
Check All Tracker Features! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1236ms]
About Us                [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1501ms]
CAN                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1165ms]
yahoo!                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1179ms]
About%20Us              [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1424ms]
SAM                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1779ms]
Welcome!                [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1892ms]
:: Progress: [87664/87664] :: Job [1/1] :: 23 req/sec :: Duration: [0:54:16] :: Errors: 0 ::

Next Step

  • scan for users
    • wpscan --url http://metapress.htb/ --enumerate u
[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <================================================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] admin | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://metapress.htb/wp-json/wp/v2/users/?per_page=100&page=1 | Rss Generator (Aggressive Detection) | Author Sitemap (Aggressive Detection) | - http://metapress.htb/wp-sitemap-users-1.xml | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection)

[+] manager | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)

With these scans I discovered that their appears to be no plugins and one theme Twenty Twenty-One. Their also appeared to be 2 users admin and manager both of which I ran multiple workforce attempts against using the following commands.

11 minutes to read

Precious.htb

Recon

  • Host name

  • Rustscan rustscan -a 10.10.11.189

Open 10.10.11.189:22
Open 10.10.11.189:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-17 13:48 EST Initiating Ping Scan at 13:48 Scanning 10.10.11.189 [2 ports] Completed Ping Scan at 13:48, 0.53s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:48 Completed Parallel DNS resolution of 1 host. at 13:48, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 13:48 Scanning 10.10.11.189 [2 ports] Discovered open port 22/tcp on 10.10.11.189 Discovered open port 80/tcp on 10.10.11.189 Completed Connect Scan at 13:48, 0.33s elapsed (2 total ports) Nmap scan report for 10.10.11.189 Host is up, received syn-ack (0.48s latency). Scanned at 2022-12-17 13:48:42 EST for 1s

PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack

  • Directory Brute force ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://precious.htb/FUZZ
none
  • VHOSTS gobuster vhost -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 -u precious.htb
none

Next Step

Since I did not find any subdomains or other web pages on the web server I decide to look at the main page to see if I could find a vulnerability. I began by spinning up a PHP web server using the php -S 0.0.0.0:80 command. I then create a simple HTML page that had some text and converted it to a PDF using the online PDF converter on http://precious.htb . Once I had a PDF that the web server made I used the exiftool ngveoebbpujxmgb2pxfbmu5p3cr7ddg3.pdf command to see what generated the PDF document.

4 minutes to read