![]() ![]() ──────────────────────────────────────────────────Ĥ04 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter toggle off with -dont-filterĤ04 GET 1l 3w 16c Auto-filtering found 404-like response and created new filter toggle off with -dont-filter □ Press to use the Scan Management Menu™ ![]() □ Config File │ /etc/feroxbuster/ferox-config.toml □ Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt The site is for a security feroxbuster -u -x php,html -C 400,502 -no-recursion -dont-extract-links Nmap done: 1 IP address (1 host up) scanned in 15.55 secondsīased on the OpenSSH and Bind versions, the host is likely running Ubuntu 22.04 jammy. Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-title: SnoopySec Bootstrap Template - Index In Beyond Root, I’ll reconfigure the box back before a patch from HackTheBox and show two unintended exploits that no longer work. Then I’ll exploit an XXE vulnerability in ClamAV’s clamscan utility to read root’s SSH key. First I’ll exploit a CVE in git for how the apply command allows overwriting arbitrary files. The next two steps both involve CVEs that didn’t have public exploits or even much documentation at the time Snoopy released. In there, I’ll abuse a slash command intended to provisions servers to have it connect to my SSH honeypot, and use those creds to get on the box. Once that’s updated, I can direct password reset emails for accounts on snoopy.htb to my server, and get access to a MatterMost instance. I’ll use that to read a bind DNS configuration, and leak the keys necessary to make changes to the configuration. ![]() Snoopy starts off with a website that has a file read / directory traversal vulnerability. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |