Initial Foothold Hint
- The initial
nmap
scan shows onlytcp/22
andtcp/80
on the target- You likely know that SSH is almost never the first way in
- So, focus on your web skills here
- What is the web server technology called that allows a single IP address to serve multiple host names?
- How would you enumerate this feature of the web server?
- The attack surface on the web server home page isn't huge
- There's really only one input point that isn't a login form
- When you see an input form that expects a username, it's probably looking that username up in a database of some kind to ensure it's valid
- What kinds of inputs can you enter into the form that might inject some malicious characters into the lookup?
- Check for information re-use
- Once logged into the alternate server, you should be able to find a CVE that allows remote code execution (RCE)
Privilege Escalation Hint
- Enumerate thoroughly and look at:
- Internally-facing TCP ports
- Interesting files
- You should find an internal service running
- You should also find some databases that you can transfer to your attack box for analysis. What interesting data can you find in the databases?
- Do your research on the internal web server
- Now that you possess some sensitive information on the internal server, you should be able to find some research that shows you how to login with the information you posses.
- If you look at its configuration files, you'll note that it's running with some sensitive privileges. What in the configuration files gives this away?
Nmap Results
# Nmap 7.94SVN scan initiated Mon Aug 26 17:42:14 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.202.183
Nmap scan report for 10.129.202.183
Host is up (0.087s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 86:f8:7d:6f:42:91:bb:89:72:91:af:72:f3:01:ff:5b (ECDSA)
|_ 256 50:f9:ed:8e:73:64:9e:aa:f6:08:95:14:f0:a6:0d:57 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://monitorsthree.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8084/tcp filtered websnp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 26 17:42:56 2024 -- 1 IP address (1 host up) scanned in 41.54 seconds
💡
Don't miss an opportunity to find some breadcrumbs in the
nmap
output. We can see the HTTP redirect to http://monitorsthree.htb
in the tcp/80
output, so let's go ahead and get that added to our /etc/hosts
file.echo -e '10.129.202.183\t\tmonitorsthree.htb' | sudo tee -a /etc/hosts
â›”
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.