HackTheBox
, sqli
, file upload
nmap -sVC 10.10.11.165
Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-07-09 00:37 EDT
Nmap scan report for seventeen.htb (10.10.11.165)
Host is up (0.091s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2e:b2:6e:bb:92:7d:5e:6b:36:93:17:1a:82:09:e4:64 (RSA)
| 256 1f:57:c6:53:fc:2d:8b:51:7d:30:42:02:a4:d6:5f:44 (ECDSA)
|_ 256 d5:a5:36:38:19:fe:0d:67:79:16:e6:da:17:91:eb:ad (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Let's begin your education with us!
|_http-server-header: Apache/2.4.29 (Ubuntu)
8000/tcp open http Apache httpd 2.4.38
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: Host: 172.17.0.12; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds
Directories of the landing page gobuster dir -u <http://seventeen.htb> -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://seventeen.htb>
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/07/21 18:13:18 Starting gobuster in directory enumeration mode
===============================================================
/css (Status: 301) [Size: 312] [--> <http://seventeen.htb/css/>]
/images (Status: 301) [Size: 315] [--> <http://seventeen.htb/images/>]
/js (Status: 301) [Size: 311] [--> <http://seventeen.htb/js/>]
/fonts (Status: 301) [Size: 314] [--> <http://seventeen.htb/fonts/>]
===============================================================
2022/07/21 18:15:47 Finished
===============================================================
There used to be a /vendor page but now it seems inacessable
The port 8000 is inaccessable. Gobuster with my normal wordlists did not turn anything up however, with the patched vendor directories as a wordlist, these came up.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://seventeen.htb:8000>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: wordlist.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/07/21 20:42:12 Starting gobuster in directory enumeration mode
===============================================================
/oldmanagement (Status: 301) [Size: 329] [--> <http://seventeen.htb:8000/oldmanagement/>]
/mastermailer (Status: 301) [Size: 328] [--> <http://seventeen.htb:8000/mastermailer/>]
===============================================================
2022/07/21 20:42:13 Finished
===============================================================
Oldmanagement is a login portal for students.
Mastermailer looks like its for some sort of mail service.
Vhosts gobuster vhost -u <http://seventeen.htb> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://seventeen.htb>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/07/09 01:14:19 Starting gobuster in VHOST enumeration mode
===============================================================
Found: exam.seventeen.htb (Status: 200) [Size: 17375]
Directories of the subdomain gobuster dir -u <http://exam.seventeen.htb> -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 50