Hack The Box

Spectra Write up

  1. Scanning open ports

So I use nmap tool for the scanning of port and got some open ports which are vulnerable .

Result of nmap

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-18 10:48 EDT Nmap scan report for 10.10.10.229 Host is up (0.23s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) | ssh-hostkey: |_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA) 80/tcp open http nginx 1.17.4 |_http-title: Site doesn't have a title (text/html). 3306/tcp open mysql MySQL (unauthorized) |_ssl-date: ERROR: Script execution failed (use -d to debug) |_sslv2: ERROR: Script execution failed (use -d to debug) |tls-alpn: ERROR: Script execution failed (use -d to debug) 8081/tcp open blackice-icecap? | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 200 OK | Content-Type: text/plain | Date: Fri, 18 Jun 2021 14:49:10 GMT | Connection: close | Hello World | GetRequest: | HTTP/1.1 200 OK | Content-Type: text/plain | Date: Fri, 18 Jun 2021 14:49:09 GMT | Connection: close | Hello World | HTTPOptions: | HTTP/1.1 200 OK | Content-Type: text/plain | Date: Fri, 18 Jun 2021 14:49:16 GMT | Connection: close | Hello World 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8081-TCP:V=7.91%I=7%D=6/18%Time=60CCB257%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,71,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/plain\r\nD SF:ate:\x20Fri,\x2018\x20Jun\x202021\x2014:49:09\x20GMT\r\nConnection:\x20 SF:close\r\n\r\nHello\x20World\n")%r(FourOhFourRequest,71,"HTTP/1\.1\x2020 SF:0\x20OK\r\nContent-Type:\x20text/plain\r\nDate:\x20Fri,\x2018\x20Jun\x2 SF:02021\x2014:49:10\x20GMT\r\nConnection:\x20close\r\n\r\nHello\x20World\ SF:n")%r(HTTPOptions,71,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/p SF:lain\r\nDate:\x20Fri,\x2018\x20Jun\x202021\x2014:49:16\x20GMT\r\nConnec SF:tion:\x20close\r\n\r\nHello\x20World\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 93.65 seconds

So we have open ports 22 (ssh) and 80 which is used by servers , in case of this machine there nginx server .

  1. Collecting information from the website which was accessible by machine ip 10.10.10.229

Here i use the tool gobuster to finding hidden directories although some are already accessible

web page on nginx server

web page on nginx server

gobuster -u http://10.10.10.229 -w /usr/share/wordlists/dirbuster/directory-2.3-medium.txt

In the website there was a administrator login which can be vulnerable after checking it , found that 10.10.10.229 /testing index was accessible . Which has sensitive information regarding site and list of configuration file .

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/0e962c00-6557-4206-83bf-cb07d0608c38/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/cfa73f2b-4c02-46e7-b280-b5d5ce8f92ee/Untitled.png

Here most interesting file is wp-config.php.save as this contains all info about database like username and password