HackTheBox | MonitorsThree

In this walkthrough, I demonstrate how I obtained complete ownership of MonitorsThree on HackTheBox

Initial Foothold Hint

  • The initial nmap scan shows only tcp/22 and tcp/80 on the target
    • You likely know that SSH is almost never the first way in
    • So, focus on your web skills here
  • What is the web server technology called that allows a single IP address to serve multiple host names?
    • How would you enumerate this feature of the web server?
  • The attack surface on the web server home page isn't huge
    • There's really only one input point that isn't a login form
    • When you see an input form that expects a username, it's probably looking that username up in a database of some kind to ensure it's valid
    • What kinds of inputs can you enter into the form that might inject some malicious characters into the lookup?
  • Check for information re-use
  • Once logged into the alternate server, you should be able to find a CVE that allows remote code execution (RCE)

Privilege Escalation Hint

  • Enumerate thoroughly and look at:
    • Internally-facing TCP ports
    • Interesting files
  • You should find an internal service running
    • You should also find some databases that you can transfer to your attack box for analysis. What interesting data can you find in the databases?
  • Do your research on the internal web server
    • Now that you possess some sensitive information on the internal server, you should be able to find some research that shows you how to login with the information you posses.
    • If you look at its configuration files, you'll note that it's running with some sensitive privileges. What in the configuration files gives this away?

Owned MonitorsThree from Hack The Box!
I have just owned machine MonitorsThree from Hack The Box

Nmap Results

# Nmap 7.94SVN scan initiated Mon Aug 26 17:42:14 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.202.183
Nmap scan report for 10.129.202.183
Host is up (0.087s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 86:f8:7d:6f:42:91:bb:89:72:91:af:72:f3:01:ff:5b (ECDSA)
|_  256 50:f9:ed:8e:73:64:9e:aa:f6:08:95:14:f0:a6:0d:57 (ED25519)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://monitorsthree.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8084/tcp filtered websnp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 26 17:42:56 2024 -- 1 IP address (1 host up) scanned in 41.54 seconds
💡
Don't miss an opportunity to find some breadcrumbs in the nmap output. We can see the HTTP redirect to http://monitorsthree.htb in the tcp/80 output, so let's go ahead and get that added to our /etc/hosts file.
echo -e '10.129.202.183\t\tmonitorsthree.htb' | sudo tee -a /etc/hosts

â›”
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.