Preignition (Tier 0)

Description

  • Tier -> 0

  • Difficult -> Very Easy

  • OS -> Linux

  • Tags -> Custom Applications / Apache / Reconnaissance / Web Site Structure Discovery / Default Credentials

https://app.hackthebox.com/starting-point?tier=0

Write-up

  • With a little research, I started answering the first questions

Answer: dir busting

Answer: -sV

  • Then I continue doing an initial port scan of the machine using Nmap

nmap 10.129.218.32 -p- -Pn --min-rate 2500 -oN scan.txt

  • With this, I answered the next question

Answer: http

  • I also did an exhaustive scan of the ports we found to get information about the services running

nmap 10.129.218.32 -p80 -sVC -oN serv_scan.txt

  • With this and a little research, I answered the next questions

Answer: nginx 1.14.2

Answer: dir

Answer: -x php

  • As I found a port was running the HTTP protocol, I checked the content deployed via the web browser, where I just found a default page for the Nginx server

To learn more about the HTTP protocol you can go here

  • Checking the source code didn't give me any relevant information, so I tried to fuzz the URL of the site using gobuster, and with this I found there was an available route in the /admin.php direction

gobuster dir -u http://10.129.218.32/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -o fuzz.txt

  • With this and a little research, I answered the next questions

Answer: admin.php

Answer: 200

  • So I went to this site and found there was a login page, where I tried to log in using common credentials, and discovered that using the combination of username admin and password admin, I logged in successfully, seeing a message that gave me the root flag

  • With this, I got the root flag and pwned the machine

Answer: 6483bee07c1c1d57f14e5b0717503c73

PreviousExplosion (Tier 0)NextMongod (Tier 0)

Last updated