Before starting any HTB Box, please be sure that you have your HTB VPN turned on. Unlike me, you won't have to waste 2hrs scanning ports using nmap and bust your head thinking that is this box protected by some kind of magical firewall xD.
Initial Enumeration
Nmap scan for basic ports
# Nmap 7.70 scan initiated Thu Jul 4 19:01:39 2019 as: nmap -oN T-common 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
# Nmap done at Thu Jul 4 19:01:42 2019 -- 1 IP address (1 host up) scanned in 3.01 seconds
Detailed scan of the open ports
# Nmap 7.70 scan initiated Thu Jul 4 19:02:04 2019 as: nmap -sV -sC -p 80,2222 -oN O-Detailed 10.10.10.56
Nmap scan report for 10.10.10.56
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 4 19:02:18 2019 -- 1 IP address (1 host up) scanned in 14.65 seconds
Peculiar thing to note is that the SSH port has been moved to 2222 rather than the usual 22
User Own
Running dirb on the http server first got us a directory, cgi-bin, and running dirb again fetched us a file named user.sh
The file displayed uptime information of the server. After some research and going by the name of the box I was very positive that this may involve shellshocking.
