# TAKEAWAYS - Add vhosts to `/etc/hosts` ASAP - This is way beyond me right now --- # BLUF - xxx --- # Discover Ports & Services - `ping` test - `nmap` scan - light ![[images/Pasted image 20260320182322.png]] - `nmap` scan - detailed ![[images/Pasted image 20260320182504.png]] - Two SSH servers? - add `craft.htb` to `/etc/hosts` - `nmap` scan - UDP ![[images/Pasted image 20260320183942.png]] --- # Service Enum ## Port 6022 (SSH): Golang x/crypto/ssh server (protocol 2.0) - We need to enumerate the version - `telnet` and `nc` aren't showing much ![[images/Pasted image 20260320184016.png]]![[images/Pasted image 20260320184021.png]] - Try with `ssh` ![[images/Pasted image 20260320190327.png]] - CVE-2024-45337 highlighted a vulnerability where PublicKeyCallback misuse can lead to auth bypass - POC here: [CVE-2024-45337](https://github.com/NHAS/CVE-2024-45337-POC) - run `sudo go build -buildvcs=false` ![[images/Pasted image 20260320184814.png]] - run exploit > failure; looks like we need to supply a pubkey ![[images/Pasted image 20260320185215.png]] - create an ed25519 key pair and run > still nothing ![[images/Pasted image 20260320185833.png]] ## Port 443 (HTTPS): nginx 1.15.8 ## `craft.htb` - Visit page ![[images/Pasted image 20260320182714.png]] - View source - Mousing around we see `api.craft.htb/api` and `gogs.craft.htb` - Both buttons do not work - Check for `robots.txt` and `sitemap.xml` > nothing - Check `index.html` and `index.php` > nothing - Run `whatweb` ![[images/Pasted image 20260320183115.png]] - View certificate ![[images/Pasted image 20260320193707.png]] - Web fuzzing - directory: `craft.htb` - raft-medium > nothing; quite slow - 2.3-medium - vhost - 5000 > nothing - 20000 > nothing - subdomain - 5000 > nothing - 20000 ## `api.craft.htb` - visit page ![[images/Pasted image 20260320195848.png]] - `api.craft.htb/api/auth/login` shows a basic auth dialog - try to brute force the login > give up on this ```bash hydra -l dinseh -P /opt/rockyou.txt api.craft.htb https-get /api/auth/login -s 443 ``` - directory web fuzzing - raft-medium - 2.3-medium ## `gogs.craft.htb` - visit page ![[images/Pasted image 20260320194426.png]] - Note: Gogs Version: 0.11.86.0130 - some potential vulns ![[images/Pasted image 20260320194532.png]] - SQLi ![[images/Pasted image 20260320194827.png]] - copy POST request into `req.txt` file to use with `sqlmap` - maybe this is a no go due to the CSRF token ![[images/Pasted image 20260320195220.png]] - go to explore > we see a repo ![[images/Pasted image 20260320201006.png]] - we find dinesh's password under `test/test.py` - `craft_api/api/brew/endpoints/brew.py` passes the `abv` parameter to an eval call, which may lead to RCE --- # Foothold > Port xxx: service/web_page - xxx --- # Privesc - xxx