Initial Enumeration

# Nmap 7.93 scan initiated Sun May 14 20:30:05 2023 as: nmap -sC -sV -oN nmap/format format.htb
Nmap scan report for format.htb (10.129.33.180)
Host is up (0.24s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c397ce837d255d5dedb545cdf20b054f (RSA)
|   256 b3aa30352b997d20feb6758840a517c1 (ECDSA)
|_  256 fab37d6e1abcd14b68edd6e8976727d7 (ED25519)
80/tcp   open  http    nginx 1.18.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
3000/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://microblog.htb:3000/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 14 20:30:28 2023 -- 1 IP address (1 host up) scanned in 23.52 seconds

Lets vist format.htb opening that redirect me to app.microblog.htb

Opening Microblog.:3000 we see it to be a gitea server

We also find a potenital user as cooper and a website which seem to

Going back to port 80 we see some service which let you host your own blog

Lets register and try to play around with the service

Lets register a user and create a subdomain

We can add content to page using

We can read files using the creating a new txt/header content

We see we can control /static/(*)/(*) and possibly inject protocol to set pro

Getting Pro

Using the sock we can write to socket ref

We can upload image to get the uploads path

So going back to code we see

Lets write to uploads as it has 700 so www-data can write and execute that file

RCE:

and we get a shell as www-data

from redis i get the password as zooperdoopercooper

User -> Root

And we root with that password unCR4ckaBL3Pa$$w0rd