![](/htb/machines/retired/format/r1U9U_RE3.png)
Initial Enumeration
1 | # Nmap 7.93 scan initiated Sun May 14 20:30:05 2023 as: nmap -sC -sV -oN nmap/format format.htb |
Lets vist format.htb
opening that redirect me to app.microblog.htb
![](/htb/machines/retired/format/BJwUudA43.png)
Opening Microblog.:3000 we see it to be a gitea server
![](/htb/machines/retired/format/HkInOdR43.png)
We also find a potenital user as cooper
and a website which seem to
![](/htb/machines/retired/format/SkpAddANn.png)
Going back to port 80 we see some service which let you host your own blog
![](/htb/machines/retired/format/H1eft_CEh.png)
Lets register and try to play around with the service
![](/htb/machines/retired/format/HJqVFdAEh.png)
Lets register a user and create a subdomain
![](/htb/machines/retired/format/SJTGOWbHh.png)
![](/htb/machines/retired/format/S1gH_ZWS3.png)
We can add content to page using
![](/htb/machines/retired/format/r1Iw_bZr3.png)
We can read files using the creating a new txt/header content
We see we can control /static/(*)/(*)
and possibly inject protocol to set pro
![](/htb/machines/retired/format/rJRfWflSn.png)
Getting Pro
Using the sock we can write to socket ref
![](/htb/machines/retired/format/Bk62zbgrn.png)
We can upload image to get the uploads path
![](/htb/machines/retired/format/SJQf7WlS3.png)
So going back to code we see
![](/htb/machines/retired/format/B1lokWeB3.png)
Lets write to uploads as it has 700
so www-data
can write and execute that file
![](/htb/machines/retired/format/HJLc0llH2.png)
RCE:
![](/htb/machines/retired/format/Byri0lxr3.png)
and we get a shell as www-data
![](/htb/machines/retired/format/BJySfbeS2.png)
from redis i get the password as zooperdoopercooper
![](/htb/machines/retired/format/r1wFZWxSn.png)
User -> Root
![](/htb/machines/retired/format/SypPxzeH2.png)
And we root with that password unCR4ckaBL3Pa$$w0rd