HackTheBox - Seventeen

THIS IS UNINTENDTED WAY which was patched later on

Possible Exploit: https://www.exploit-db.com/exploits/50726
Checking Admin Login Page we get Admin Login Disabled

Lets Try to Register using the internal Endpoint

Register User

Verify Login

Login on the page

Putting php-reverse shell as avatar we get a shell as www-data inside the docker container

username: dev_oretnom

password: 5da283a2d990e8d8512cf967df5bc0d0

└─$ sshpass -p '2020bestyearofmylife' ssh mark@seventeen.htb

Privilege Escalation

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/seventeen/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.