Zumpyx Blog

Yummy

Machines#628HardLinux

Tags: SQLi、Hashcat、Ghauri、Cacti、CVE-2024-25641、Mysql、SSH_Proxy、Duplicati

Recon & Enum

nmap -p- --min-rate 1000 -T4 -sC -sV -O -v yummy.htb
---
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a2:ed:65:77:e9:c4:2f:13:49:19:b0:b8:09:eb:56:36 (ECDSA)
|_  256 bc:df:25:35:5c:97:24:f2:69:b4:ce:60:17:50:3c:f0 (ED25519)
80/tcp open  http    Caddy httpd
|_http-favicon: Unknown favicon MD5: 0C6ECE85EA540E6ABEBA19B1436C17E2
| http-methods: 
|_  Supported Methods: POST HEAD GET OPTIONS
|_http-title: Yummy
|_http-server-header: Caddy
ffuf -u http://yummy.htb/ -H 'Host: FUZZ.yummy.htb' -w subdomains.txt -fs 39296
---
gobuster dns -w /usr/share/seclists/Discovery/DNS/n0kovo_subdomains.txt -d [domain_name] -r [dns_ip]
---
gobuster dir -k --random-agent -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u 'http://[domain]'
---

gobuster dir -k --random-agent -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u 'http://[subdomain]'
---
ldapsearch -H "ldap://$IP" -x -s base namingcontexts

Shell as User1

Local Enum

...
[suid]
...
[server port]
...

Shell as User2

Local Enum

...
user2 (nopasswd)
...

Shell as Root

More and More

这个靶机的主要难点,在于发现 XSS 漏洞后,如何进一步利用 …

Dump Hash

Exploit

Other

https://app.hackthebox.com/home https://app.hackthebox.com/machines https://app.hackthebox.com/challenges