GoodGames

Category: Fullpwn Solver: rgw, 3mb0, t0b1 Flag (user): HTB{7h4T_w45_Tr1cKy_1_D4r3_54y} Flag (root): HTB{M0un73d_F1l3_Sy57eM5_4r3_DaNg3R0uS} Writeup User We receive a machine IP. Upon a portscan, we find that only port 80 is open. The website, GoodGames, contains some random information and a signup and login page. We can sign up and log in with a user, but nothing new appears on the site. We see that the login page is vulnerable to sql injection. We run SQLMap, dump all tables and see that one table, users, contains a user adminwith email admin@goodgames.htb and hashed password 2b22337f218b2d82dfc3b6f77e7cb8ec. When putting the hash into crackstation [1], we find that the cleartext is superadministrator. ...

December 2, 2021 · 3 min · rgw, 3mb0, t0b1

Object

Category: Fullpwn Solver: lmarschk Flag: HTB{c1_cd_c00k3d_up_1337!} Writeup When scanning the machine, we get the following results Nmap scan report for 10.129.96.74 Host is up (0.036s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Mega Engines 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8080/tcp open http Jetty 9.4.43.v20210629 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.43.v20210629) |_http-title: Site doesn't have a title (text/html;charset=utf-8). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 109.79 seconds When looking at port 8080, we find a Jenkins with an open registration form. When registering there, we can create a new project via New Item -> Freestyle Project. ...

December 2, 2021 · 2 min · lmarschk