Seventeen

Untitled

tags: HackTheBox, sqli, file upload

Recon

nmap -sVC 10.10.11.165

Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-07-09 00:37 EDT
Nmap scan report for seventeen.htb (10.10.11.165)
Host is up (0.091s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 2e:b2:6e:bb:92:7d:5e:6b:36:93:17:1a:82:09:e4:64 (RSA)
|   256 1f:57:c6:53:fc:2d:8b:51:7d:30:42:02:a4:d6:5f:44 (ECDSA)
|_  256 d5:a5:36:38:19:fe:0d:67:79:16:e6:da:17:91:eb:ad (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Let's begin your education with us!
|_http-server-header: Apache/2.4.29 (Ubuntu)
8000/tcp open  http    Apache httpd 2.4.38
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: Host: 172.17.0.12; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 18.45 seconds

Directories of the landing page gobuster dir -u <http://seventeen.htb> -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 50

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://seventeen.htb>
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/07/21 18:13:18 Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 312] [--> <http://seventeen.htb/css/>]
/images               (Status: 301) [Size: 315] [--> <http://seventeen.htb/images/>]
/js                   (Status: 301) [Size: 311] [--> <http://seventeen.htb/js/>]
/fonts                (Status: 301) [Size: 314] [--> <http://seventeen.htb/fonts/>]

===============================================================
2022/07/21 18:15:47 Finished
===============================================================

https://i.imgur.com/IFKEi8a.png

There used to be a /vendor page but now it seems inacessable

The port 8000 is inaccessable. Gobuster with my normal wordlists did not turn anything up however, with the patched vendor directories as a wordlist, these came up.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://seventeen.htb:8000>
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                wordlist.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/07/21 20:42:12 Starting gobuster in directory enumeration mode
===============================================================
/oldmanagement        (Status: 301) [Size: 329] [--> <http://seventeen.htb:8000/oldmanagement/>]
/mastermailer         (Status: 301) [Size: 328] [--> <http://seventeen.htb:8000/mastermailer/>]
===============================================================
2022/07/21 20:42:13 Finished
===============================================================

Oldmanagement is a login portal for students.

https://i.imgur.com/cdhaaG8.png

Mastermailer looks like its for some sort of mail service.

https://i.imgur.com/GP3zaRT.png

Vhosts gobuster vhost -u <http://seventeen.htb> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          <http://seventeen.htb>
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/07/09 01:14:19 Starting gobuster in VHOST enumeration mode
===============================================================
Found: exam.seventeen.htb (Status: 200) [Size: 17375]

https://i.imgur.com/mZonT0V.png

Directories of the subdomain gobuster dir -u <http://exam.seventeen.htb> -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -t 50