Jarvis — HackTheBox Writeup

This is a writeup for the Jarvis machine

Enumeration:

1.NMAP SCAN: CHECK SERVICES

Akuma@kali:~$ nmap -T4 -A -O -v -p - 10.10.10.143
PORT      STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_Supported Methods: GET HEAD POST OPTIONS
|http-server-header: Apache/2.4.25 (Debian) |_http-title: Stark Hotel
64999/tcp open http Apache httpd 2.4.25 ((Debian)) | http-methods: |
Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).

2. DIRBUSTER: FIND ENTRY POINTS WITHIN THE WEB APPlication.

Akuma@kali:~$ dirb http://10.10.10.143/
-----------------
[...]
URL_BASE: http://10.10.10.143/
[...]
---- Scanning URL: http://10.10.10.143/ ----
==> DIRECTORY: http://10.10.10.143/css/
==> DIRECTORY: http://10.10.10.143/fonts/
==> DIRECTORY: http://10.10.10.143/images/
+ http://10.10.10.143/index.php (CODE:200|SIZE:23628)
==> DIRECTORY: http://10.10.10.143/js/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/
+ http://10.10.10.143/server-status (CODE:403|SIZE:300)
[...]
---- Entering directory: http://10.10.10.143/phpmyadmin/ ----
+ http://10.10.10.143/phpmyadmin/ChangeLog (CODE:200|SIZE:19186)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/doc/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/examples/
+ http://10.10.10.143/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)
+ http://10.10.10.143/phpmyadmin/index.php (CODE:200|SIZE:15211)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/js/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/libraries/
+ http://10.10.10.143/phpmyadmin/LICENSE (CODE:200|SIZE:18092)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/locale/
+ http://10.10.10.143/phpmyadmin/phpinfo.php (CODE:200|SIZE:15228)
+ http://10.10.10.143/phpmyadmin/README (CODE:200|SIZE:1520)
+ http://10.10.10.143/phpmyadmin/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/setup/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/sql/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/templates/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/themes/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/tmp/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/vendor/

3.sqlmap

password hash and the clear-text
Exploiting the SUID

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store