# External Enum ## nmap - `ping` test ![[images/Pasted image 20260215143909.png]] - `nmap` scans ![[images/Pasted image 20260215144030.png]] ## Basic Web Enum - view page ![[images/Pasted image 20260215144319.png]] - leverages `w3layouts` templating engine![[images/Pasted image 20260215144608.png]] - there may be exploits for this - `contact.html` has an eform ![[images/Pasted image 20260215144402.png]] - `about.htlm#` has three names ![[images/Pasted image 20260215144308.png]] - suzan lois, dora caelan, rose alpha - might be worth doing some directory fuzzing - looks like `tomcat` is in the mix, but port 8080 is being redirected to 80 according to the `nmap` scan # Internal Enum as `htb-student` - `ssh` into target with given creds `htb-student:Academy_LLPE!` - create local `creds` file ![[images/Pasted image 20260215143841.png]] - light internal enum ![[images/Pasted image 20260215145040.png]] - we are not part of any extra groups - we do not have `sudo` privs - OS = 20.04.1 LTS (Focal Fossa) - kernel = 5.4.0-45-generic - NTOE: this box if vulnerable to `CVE-2022-0847` aka the `Dirty Pipe` exploit - check `sudo` version ![[images/Pasted image 20260215150747.png]] - NOTE: this box is vulnerable to `CVE-2021-3156` - navigate around the home dir - there's flag1 - look for user's with login shells ![[images/Pasted image 20260215145341.png]] - there's a few other users here: `tomcat`, `barry`, and the creator of the box - check `$PATH` and env vars ![[images/Pasted image 20260215145502.png]] ## Files, Dirs, etc. - Hidden files ![[images/Pasted image 20260215145741.png]] - Hidden dirs ![[images/Pasted image 20260215145749.png]] - Scripts ![[images/Pasted image 20260215145834.png]] - Temp files ![[images/Pasted image 20260215145857.png]] - cannot read any of these - mounted and unmounted fs > nothing too interesting ![[images/Pasted image 20260215150014.png]] - world writable files ![[images/Pasted image 20260215151637.png]] - world writable dirs ![[images/Pasted image 20260215151919.png]] ## Users - Enum logged on users and recent logins ![[images/Pasted image 20260215150119.png]] ## Command History - `history` command ![[images/Pasted image 20260215150228.png]] - check out `/var/www` ![[images/Pasted image 20260215150251.png]] - looks like there is a subdomain `blog.inlanefreight.local` - `/var/www/html` does not have much to offer ![[images/Pasted image 20260215150428.png]] - `/var/www/blog.inlanefreight.local` has a treasure trove ![[images/Pasted image 20260215150504.png]] - but it's unreadable but current users ## SUID and SGID Enum - Identify SUID bins ![[images/Pasted image 20260215151245.png]] - Identify SGID bins ![[images/Pasted image 20260215151253.png]] ## Screen Enum - Looks like we have another vuln ![[images/Pasted image 20260215151719.png]]