Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Mailroom
|htbmachinesretired|

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Nmap 7.93 scan initiated Sun Apr 16 05:59:57 2023 as: nmap -sC -sV -oN nmap/mailroom 10.129.59.53
Nmap scan report for mailroom.htb (10.129.59.53)
Host is up (0.26s latency).
Scanned at 2023-04-16 05:59:57 IST for 19s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 94bb2ffcaeb9b182afd789811aa76ce5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBsIk5aL2paRLxMWRinGX8YNkoR0QoWuLBzpzq+IZIwWJ8H/ZW2sybQ7xCOaoe37vmNMwFWoZ/2z68JP5eG2n0ucrGkiNXY0ZHzXWvU7BYF2BKxCtCuGLV8vVR/voIkIRPRxgMkxQ8UU0k3sGNkB0sOlsDKWJFIpgruIT3wApfaXp6WYfBHuLee7mHWcLWZfsjnBbYnc2jWRm4z9YTK3USwnsX4f8ki7eC3DYq8RB5Kx7U6u/5aiC0Z50gbuTR5YJPPFt7rawTrPPwT31sS3/Q4kCDfhFWOrcV1wIy2xrEAUG+RtbS84D2RotizXIEphaqueK6Tl8LNZvB2VbL72xqMfSqplCXS3rO9fs2Ie/Q47m9BVNNjwShnwAnGa8kJLXJb+x/qBE2aagzn599dVre9khFU8LWiptr6lw9ksEfPw8f1+XEBXjc2ECWkdap9KOx7QRTIEVzVJ8MRHn/Bp/EQ9Uz+whe6K5U6Egle7JHtd8qUPPUitVX+QyFqBwdH50=
|   256 821beb758b9630cf946e7957d9ddeca7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOZd951iwnVNWvSYmYx8ZJUf9o5yhI3zVuVAfNLLrTdhwnstMMOWcnMDyPgwfnbzDJ89BnmvHuC5k9kVJjIQJpM=
|   256 19fb45feb9e4275de5bbf35497dd68cf (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImOwXljVycTwdL6fg/kkMWPDWdO+roydyEf8CeBYu7X
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: The Mail Room
|_http-server-header: Apache/2.4.54 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 846CD0D87EB3766F77831902466D753F
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 16 06:00:16 2023 -- 1 IP address (1 host up) scanned in 19.74 seconds

Playing around the page we find XXS on contact-us page

Along with that we find a git leaf server on our Gobuster

We find a staff page on the git repo.

Using the XSS we can access the staff-review page CSRF

Using NoSQL injection we can trigger

For user tristan we get password as 69trisRulez!

Using the creds i can access

using the ssh tunel and adding a regex match on host

We download a bash shell using

and execute it using the command injection

Checking the git file i find gittea creds for matthew

http://matthew:HueLover83%23@gitea:3000/matthew/staffroom.git

Privilege Escalation

using strace we get the password as !sEcUr3p4$$w01rd9 for kdbk

in which w01rd seem to be w0rd

trying !sEcUr3p4$$w0rd9 we can get access to kdbk

From the keepass we get the root password and access root and get root password.

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/mailroom/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxhacktheboxhardcommand injectionxsscsrfpassword reusestracekeepass`