Defalt_

htb What we can learn from this machine Enumeration Burp Suite PHP Vulnerability Ruby - (Knife) Let’s start with a nmap scan. # Nmap 7.91 scan initiated Wed Jun 9 10:33:27 2021 as: nmap -sC -sV -A -Pn -oN scans/nmap-output 10.10.10.242 Nmap scan report for 10.10.10.242 Host is up (0.18s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Emergent Medical Idea Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jun 9 10:33:51 2

htb What we learn from this machine : Concepts Learnt : Enumeration Drupal exploit (metasploit) Snap privilege escalation python2 Let’s do this then. Always start with enumerations. # Nmap 7.91 scan initiated Wed Jun 9 08:29:39 2021 as: nmap -sC -sV -A -oN scans/nmap-output 10.10.10.233 Nmap scan report for 10.10.10.233 Host is up (0.15s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTAL

htb About What I learn from this machine ? Enumeration Malicious payload (template bin) Reverse Shell Privilege escalation Enumeration # Nmap 7.91 scan initiated Fri Jun 4 15:33:24 2021 as: nmap -sV -sC -oN nmap/scan.txt 10.10.10.226 Nmap scan report for 10.10.10.226 Host is up (0.15s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) 5000/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.5) |_http-title: k1d'5 h4ck3r t00l5 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jun 4 15:33:52 2021 -- 1 IP address (1 host up) sca

htb About the Delivery Delivery is an easy difficulty Linux machine that features the support ticketing system osTicket where it is possible by using a technique called TicketTrick, a non authenticated user to be granted with access to a temporary company email. This “feature” permits the registration at MatterMost and the join of internal team channel. It is revealed through that channel that users have been using same password variant “PleaseSubscribe!” for internal access. In channel it is also disclosed the credentials for the mail user which can give the initial foothold to the system. While enumerating the file system we come across the mattermost configuration file which reveals MySQL database credentials. By having access to the database a password hash can be extracted from Users table and crack it using the “PleaseSubscribe!” pattern. After cracking the hash it is possible to login as user root. Skills Required : Basic web enumeration / Brute force