Initial Foothold Hint
- The initial
nmap
scan reveals that only SSH and HTTP are open on the box. You likely already know that SSH is never the first way in, so bring your best web skills for the initial foothold. - When you find the web form, look at all the form field names
- One field, should be particularly interesting to you
- Before you go too crazy, just test a simple proof-of-concept (POC) with the form, see what happens
- What kind of exploits might you expect to find when you've "someone" clicking on your links?
- You might be wondering what web application is running this page
- There are clever ways to enumerate it. Look at the page source and see if you can find any file names on Google or GitHub.
- There is a CVE and public exploit for this version, but you may need to adjust your target URL, since I found a little bit of a bug in the way the exploit parses the target URL
- Also, if you're not getting any hits on your exploit, consider that the service might prefer hostnames over IP addresses (be patient as well, as there's a little delay with the exploit)
Privilege Escalation Hint
- As always, have a solid post-exploit enumeration methodology
- It's always a good idea to go back and look at configuration files, logs, and databases for the service where you established your foothold
- Lateral to User 1
- Always look for easy wins with the information you already possess
- Becoming Root
- What services might be running internally?
- Look carefully at all the interactive / input points of the service and consider what the server might be doing locally with certain inputs you provide
ℹ️
For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.
Nmap Results
# Nmap 7.94SVN scan initiated Wed Aug 14 14:51:12 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.192.248
Nmap scan report for 10.129.192.248
Host is up (0.091s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
| 256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_ 256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 14 14:51:51 2024 -- 1 IP address (1 host up) scanned in 38.24 seconds
ℹ️
No particular breadcrumbs in the
I'm going to go ahead and add an
nmap
output that would reveal any hostnames or anything special about the app other than the web server in use.I'm going to go ahead and add an
/etc/hosts
entry for convenience.echo -e '10.129.192.248\t\tsea.htb' | sudo tee -a /etc/hosts
⛔
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.