HTB

INFO: IP: 10.10.11.233 Enum Nmap gives this output: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA) |_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://analytical.htb/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel with this command nmap -sV -sC -p- 10.10.11.233 the ip redirects to analytical.htb in the browser so we have to put it in our /etc/hosts. usually changing hosts is a sign to do vhost enumeration, so we can run both vhost and dir gobuster in the background while we explore the webpage. ...

Notes IP: 10.10.11.239 Difficulty: Easy User flag: Root flag: Nmap scan: nmap -sV -p- 10.10.11.239 gives us: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 3000/tcp open http Node.js Express framework Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:li nux_kernel There is a code editor on the website http://codify.htb/editor. Looking behind the scenes we find this javascript code: ...

Enumeration with the nmap command nmap -p- -sV -sC 10.10.11.219 we got this result: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 20be60d295f628c1b7e9e81706f168f3 (RSA) | 256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA) |_ 256 d14e293c708669b4d72cc80b486e9804 (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: Did not follow redirect to http://pilgrimage.htb/ |_http-server-header: nginx/1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel So we know there’s a SSH server, and a http server running nginx 1.18.0. Going to the website we come to this page: ...

Nmap Nmap gives the following output PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 aa8867d7133d083a8ace9dc4ddf3e1ed (RSA) | 256 ec2eb105872a0c7db149876495dc8a21 (ECDSA) |_ 256 b30c47fba2f212ccce0b58820e504336 (ED25519) 80/tcp filtered http 8338/tcp filtered unknown 55555/tcp open unknown | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 400 Bad Request | Content-Type: text/plain; charset=utf-8 | X-Content-Type-Options: nosniff | Date: Mon, 06 Nov 2023 16:33:37 GMT | Content-Length: 75 | invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$ | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 302 Found | Content-Type: text/html; charset=utf-8 | Location: /web | Date: Mon, 06 Nov 2023 16:33:11 GMT | Content-Length: 27 | href="/web">Found</a>. | HTTPOptions: | HTTP/1.0 200 OK | Allow: GET, OPTIONS | Date: Mon, 06 Nov 2023 16:33:11 GMT |_ Content-Length: 0 With this command nmap -p- -sV -sC 10.10.11.224 Web Accessing both the 80 port and 8338 port gives us no response on Firefox.\ However the :55555 port gives us something: ...