Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Walk-throughs
  2. HTB Endgames

Hades

Entry Point

10.13.38.16

initial nmap scan

sudo nmap -p- --min-rate 1500 -T4 10.13.38.16 | cut -d'/' -f1 | tr '\n' ','

we can see we have the following port open on the target machine

443

Lets see if we can enumerate further information

sudo nmap -sCV -p443 -A -oA TCP_10.13.38.16 10.13.38.16

results

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-21 20:31 EST
Nmap scan report for 10.13.38.16
Host is up (0.29s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=10.13.38.16/organizationName=Gigantic Hosting Limited/stateOrProvinceName=New York/countryName=US
| Not valid before: 2019-09-04T21:52:00
|_Not valid after:  2039-08-30T21:52:00
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2012|8|Phone|7 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Embedded Standard 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   286.09 ms 10.10.14.1
2   286.68 ms 10.13.38.16

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds

Whatwe can see

  • We have HTTPS enabled Apache 2.4.29 (Ubuntu)

  • Server itself may be windows server 2012

HTTPS

we can see

  • Web server is running Ubuntu (server or container?)

  • we have emails

    • sales@gigantichosting.com

    • we can add the domain name to our hosts file

  • we find /ssltools/certificate.php which looks like a tool to retrieve the SSL cert from a specified domain name or IP address

Lets play around with this

  1. we want to request our own IP address, and see if we can sniff out any data, Since the client (certificate.php) is utilizing SSL we cant simply view the HTTP data directly, we need to utilize a tool called MITMPROXY

  • we can donwload the following tools from 

sudo /opt/mitmdump -p 443 --mode reverse:https://10.13.38.16 --ssl-insecure --set flow_detail=3

  • -p: specifying our local port '443'

  • -mode reverse:https://10.13.18.16: this will set mitmproxy in reverse proxy mode, forwarding traffic back to our target

  • --ssl-insecure: disables ssl certificate validation

  • --set flow_detail=3: This setts the verbosity of flow details to a level 3

  1. Now we can point the PHP function to our local machine

  • after trying to send a request back to our local machine we wearnt getting anything

Looking at the SSL certificate for the website we can find another email address

  • it@gigantichosting.com

feroxbuster

i want to see if we can find any hidden web pages

feroxbuster -k -u https://gigantichosting.com -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o 10.13.38.16_dirs.txt -x php

results

301      GET        9l       28w      329c https://gigantichosting.com/images => https://gigantichosting.com/images/
200      GET      151l      439w     6090c https://gigantichosting.com/support.html
200      GET       21l      187w    12696c https://gigantichosting.com/images/logo.png
200      GET       33l      144w    12681c https://gigantichosting.com/images/c-logo5.png
200      GET      239l      841w    10374c https://gigantichosting.com/services.html
200      GET       21l       97w     7075c https://gigantichosting.com/images/c-logo1.png
200      GET      207l      689w     9174c https://gigantichosting.com/about.html
200      GET       33l      161w    11330c https://gigantichosting.com/images/c-logo6.png
200      GET       24l      156w    11339c https://gigantichosting.com/images/c-logo4.png
200      GET      270l      929w    11930c https://gigantichosting.com/clients.html
200      GET      357l      990w     8186c https://gigantichosting.com/css/owl.carousel.css
200      GET      343l     1065w    14688c https://gigantichosting.com/index.html
200      GET        4l     1421w    96381c https://gigantichosting.com/js/jquery.min.js
200      GET       50l      118w     1268c https://gigantichosting.com/js/nav.js
200      GET        4l       48w    17780c https://gigantichosting.com/fonts/css/font-awesome.min.css
200      GET       23l      133w    10584c https://gigantichosting.com/images/c-logo.png
200      GET       23l      123w     9804c https://gigantichosting.com/images/c-logo3.png
200      GET       77l      121w     1066c https://gigantichosting.com/ssltools/certificate.php
200      GET     1585l     3117w    28067c https://gigantichosting.com/css/style.css
200      GET     1470l     3315w    37908c https://gigantichosting.com/js/owl.carousel.js
200      GET     5785l    13825w   121261c https://gigantichosting.com/css/bootstrap.css
200      GET      343l     1065w    14688c https://gigantichosting.com/
301      GET        9l       28w      326c https://gigantichosting.com/css => https://gigantichosting.com/css/
301      GET        9l       28w      325c https://gigantichosting.com/js => https://gigantichosting.com/js/

PreviousHTB EndgamesNextXen

Last updated 1 year ago

Logomitmproxy - an interactive HTTPS proxy