Tracker
- User
- root
Loot
Proofs
| File | Flag |
|---|---|
| user.txt | |
| root.txt |
Passwords
| Username | Hash | Cleartext | Notes |
|---|---|---|---|
Summary
Overview/Highlights
OS: Ubuntu Linux
OS Version:
DNS Hostname:
Solution
Enumeration
I used a walkthrough for this one, just copied out the required ssh key, sshed in, and copied the root password so I could su - into their context. I suck and am ashamed of myself.
Open Ports
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9001/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) | VHosts: |_ 127.0.1.1:80 | X-Powered-By: Esigate
- OSVDB-3093: /db.php: This might be interesting... has been seen in web logs from an unknown scanner. Directory Structure /clients.php (Status: 200) [Size: 2698] /db.php (Status: 200) [Size: 0] /home.php (Status: 200) [Size: 86] /index.php (Status: 200) [Size: 3353] /index.php (Status: 200) [Size: 3353] /login.php (Status: 200) [Size: 4345] /search.php (Status: 200) [Size: 1] /ticket.php (Status: 200) [Size: 86] /server-status (Status: 200) [Size: 7593]
Manual Enumeration
-
Web server has Vhosts
-
HTTP Header xpoweredby Esigate?
-
nikto reported finding /db.php, /login.php.
-
index.php has reference to "https://portal.quick.htb", so I know there are subdomains.
-
Ok, I'll check out these .php files first. First I'll add this host in my hosts file, along with the known subdomain.
-
navigating to home.php kicks up a javascript alert telling me I have an invalid user/pass, even though I didn't submit anything, then redirects to login.php.
-
Let's see whats running on 443 UDP with quiche from cloudflare.
This is when I bailed and used another walkthrough, so I didn't keep any detailed notes of my own.