Initial Foothold Hint:

• Look at all of the places on the web site that accept user input
• What are some common vulnerabilities to test for in input points?
• What characters make the server angry? And based on these characters, what kind of injection do you think you've found?
• What tool might help you automate further probing of this input point?

Privilege Escalation Hint:

• What users are present on the system?
• The box is named Usage, so something is being "monitored"
• What service is running on the box that might help with this?
• Did you find any interesting files pertaining to this service?
• Is any of the information in this file reused elsewhere?

Nmap Results

# Nmap 7.94SVN scan initiated Mon Apr 15 15:17:08 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.11.18
Nmap scan report for 10.10.11.18
Host is up (0.013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
|_  256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 15 15:17:24 2024 -- 1 IP address (1 host up) scanned in 16.01 seconds

In the nmap output for tcp/80, we can see the redirect to http://usage.htb, so let's go ahead and add that to our /etc/hosts file.

echo '10.10.11.18        usage.htb' | sudo tee -a /etc/hosts