xsspresso
xsspresso
WriteupsHTB — BigBang
WebMediumLinux

HTB — BigBang

WordPress BuddyForms plugin SSRF for local file read. Grafana SQLite injection for credentials. Telescope log viewer arbitrary file read for root key.

January 26, 2025HackTheBox
#WordPress#SSRF#Grafana#SQLite Injection

nmap

sh
 nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.52
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-26 01:56 EST
Nmap scan report for 10.10.11.52
Host is up (0.030s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 d4:15:77:1e:82:2b:2f:f1:cc:96:c6:28:c1:86:6b:3f (ECDSA)
|_  256 6c:42:60:7b:ba:ba:67:24:0f:0c:ac:5d:be:92:0c:66 (ED25519)
80/tcp open  http    Apache httpd 2.4.62
|_http-title: Did not follow redirect to http://blog.bigbang.htb/
|_http-server-header: Apache/2.4.62 (Debian)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: Host: blog.bigbang.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   27.11 ms 10.10.14.1
2   27.23 ms 10.10.11.52
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.46 seconds
sh
sudo nmap -sU -sV -sC -p U:161,22,110,143,993,995 10.10.11.52
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-26 02:01 EST
Nmap scan report for 10.10.11.52
Host is up (0.020s latency).
 
PORT    STATE  SERVICE VERSION
22/udp  closed ssh
110/udp closed pop3
143/udp closed imap
161/udp closed snmp
993/udp closed imaps
995/udp closed pop3s

vhost fuzzing

sh
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://bigbang.htb/ -H 'Host: FUZZ.bigbang.htb' -fw 20
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://bigbang.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.bigbang.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 20
________________________________________________
 
blog                    [Status: 200, Size: 211716, Words: 9680, Lines: 2396, Duration: 498ms]
:: Progress: [4989/4989] :: Job [1/1] :: 1562 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
sh
[+] root
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)
 
[+] shawking
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Up next

MediumJan 2025

HTB — StreamIO

SQLi on login page, LFI reveals PHP source. MSSQL xp_cmdshell for shell. Firefox DPAPI credential decryption leads to Domain Admin via ADCS.

Read writeup
MediumFeb 2025

HTB — Cat

Apache mod_rewrite CVE-2024-38472 XSS in redirect. Stored XSS steals admin cookie for Gitea access. SQLite injection and Gitea hook RCE for root.

Read writeup
EasyFeb 2025

VHL — Techblog

WordPress 4.7.2 on CentOS. Exploited outdated plugin for remote code execution and escalated via sudo misconfiguration.

Read writeup