KoTH H1 hard
target ip: 10.10.13.187 my local ip: 10.11.12.13
Targets
| server | port | service | version | txt | vuln |
|---|---|---|---|---|---|
| 1 | 80 | http | Apache httpd 2.4.41 | Server Manager | credential brute force with hydra? |
| 2 | 81 | http | nginx 1.18.0 | Store | |
| 3 | 82 | http | Apache httpd 2.4.41 | I love hills | SQL injection |
| 5 | 2222 | ssh | OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 | ||
| 4 | 8888 | http | Werkzeug httpd 0.16.0 | Application Launcher | ssh credentials given for p 2222 |
Serv 1 - 80
Credential brute force with hydra?
Serv 2 - 81
http://10.10.11.195:81/access_log/ ->
s3cr3t_area
gobuster dir -e -u http://10.10.11.195:81/s3cr3t_area/ -w <wordlist> --no-error -b 404,403 -t 50 -m GET
http://10.10.11.195:81/access_log/index.php
Serv 3 - 82
sqlmap -u "http://10.10.13.187:82/search" --data="q=grass" -H "Content-Type: application/x-www-form-urlencoded"
Serv 4 - 8888
app1
name "online file storage"
app2
name "media player"
app3
name "file sync"
app4
name "/users"
davelarkin totallysecurehuhssh -p 2222 [email protected] passwd
totallysecurehuh
We are inside docker, flag found but no way out.