Link to challenge: https://academy.hackthebox.com/module/163
(log in required)
Class: Tier II | Medium | Offensive
Before we begin: throughout the module we will need to configure our
pwnbox /etc/hosts File by adding the line:
[target machine IP] [required vhosts]
To link the vhost to the target IP address. For example:
It can be done with the command
sudo nano /etc/hosts
then pasting the configuration modification, and save and exit with ctrl+x.
Throughout the module this process would be called ‘initial configuration’
,External Testing
External Information Gathering:
Question: Perform a banner grab of the services listening on the target host
and find a non-standard service banner. Submit the name as your answer
(format: word_word_word)
Answer: 1337_HTB_DNS
Method: First, we will need do initial configuration on vhost
‘inlanefreight.local’ and the target IP.
Now lets run nmap to check for any non-standard services, we will use the
command:
sudo nmap --open inlanefreight.local -p 1-10000
where our target of course is ‘inlanefreight.local’ (which we linked to the target
machine IP), scanning for the first 1000 ports, displaying what of them are
open:
Lets inspect it further with the command:
sudo nmap inlanefreight.local --open -p 1-10000 -A -oA
inlanefreight_ept_tcp_all_svc
saving the output in an output file called ‘inlanefreight_ept_tcp_all_svc’, as the
output result is way way too much long and noicy, here is a small sample of it:
,Running
ls
we have those 3 formats of the output file
Lets inspect further the ‘gnmap’ (
)
We will use the command:
egrep -v "^#|Status: Up" inlanefreight_ept_tcp_all_svc.gnmap
| cut -d ' ' -f4- | tr ',' '\n' | sed -e 's/^[ \t]*//' | awk
-F '/' '{print $7}' | grep -v "^$" | sort | uniq -c | sort -
k 1 -nr
And we have the answer here as ‘unknown banner’.
,Question: Perform a DNS Zone Transfer against the target and find a flag.
Submit the flag value as your answer (flag format: HTB{ }).
Answer: HTB{DNs_ZOn3_Tr@nsf3r}
Method: we will run zone transfer on the domain using the command:
dig axfr inlanefreight.local @inlanefreight.local
We can see the flag under the subdomain ‘flag.inlanefreight.local’
Question: What is the FQDN of the associated subdomain?
Answer: flag.inlanefreight.local
Method: see above.
Question: Perform vhost discovery. What additional vhost exists? (one word)
Answer: monitoring
Method: we will run the command
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt:FUZZ
-u http://inlanefreight.local/ -H
'Host:FUZZ.inlanefreight.local' -fs 15157
to use ‘ffuf’ tool to brute force subdomains, using the wordlist namelist.txt
which is built in, in the box in the path
‘/usr/share/seclists/Discovery/DNS/namelist.txt’:
,The subdomain that was found and is not detected in the zone transfer is
‘monitoring’.
Service Enumeration & Exploitation:
Question: Enumerate the accessible services and find a flag. Submit the flag
value as your answer (flag format: HTB{ }).
Answer: HTB{0eb0ab788df18c3115ac43b1c06ae6c4}
Method: we will check the ftp service, we will run the command:
ftp <target-IP>
and on the credentials we will enter ‘anonymous’ for username and blank
password:
,Running ‘ls’ we can see there is flag.txt, lets download it to the pwnbox
machine with the command:
get flag.txt
Lets exit the ftp server, and cat the flag we had just downloaded:
,Web Enumeration & Exploitation:
Question: Use the IDOR vulnerability to find a flag. Submit the flag value as
your answer (flag format: HTB{}).
Answer: HTB{8f40ecf17f681612246fa5728c159e46}
Method: First, we will need do initial configuration on vhost
‘careers.inlanefreight.local’ and the target IP.
When its done, lets enter in the pwnbox browser the URL:
‘http://careers.inlanefreight.local’
lets create an account:
Then lets login to it
,And now when are logged in:
Here are the main dashboard of our user, pay attention that our user was
assigned the ‘id’ parameter of ‘9’.
Now – IDOR attack means ‘Insecure Direct Object Reference’, so lets try to
change the ID value to something else.. lets say 1:
We got the job list of another user! (note, it will not work without registering
first to our own user).
After some trial and error, lets try id=4:
,Question: Exploit the HTTP verb tampering vulnerability to find a flag. Submit
the flag value as your answer (flag format: HTB{}).
Answer: HTB{57c7f6d939eeda90aa1488b15617b9fa}
Method: First, we will need do initial configuration on vhost
‘dev.inlanefreight.local’ and the target IP.
Now, lets use ‘gobuster’ to enumerate the domain for pages, we will use the
wordlist ‘common.txt’ in ‘/usr/share/seclists/Discovery/Web-
Content/common.txt’ built in in the pwnbox.
We will use the command:
gobuster dir -u http://dev.inlanefreight.local -w
/usr/share/seclists/Discovery/Web-Content/common.txt -x .php
-t 300
where dev.inlanefreight.local is our vhost of course:
*
*
, Lets attempt to enter the ‘upload.php’ page, the status code is 200 so we
should succeed:
We got ‘403 forbidden’ response, which contradict the gobuster ‘upload.php’
status code ‘200’ response.
We need to examine the page further.
Lets use the web investigation and analysis tool ‘burpsuite’:
burpsuite
when entering, a burpsuite window will open, select ‘next’ and ‘start’ until we
see the burpsuite main dashboard:
Lets go to ‘proxy’ ‘open browser: