Sql on s4yhii's blog https://blog.s4yhii.com/tags/sql/ Recent content in Sql on s4yhii's blog s4yhii's blog https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.155.3 en-us Sat, 24 Jul 2021 12:00:00 -0400 HackTheBox Armageddon https://blog.s4yhii.com/posts/2021-07-24-armageddon-htb/ Sat, 24 Jul 2021 12:00:00 -0400 https://blog.s4yhii.com/posts/2021-07-24-armageddon-htb/ <hr> <p><strong>Machine IP</strong> : 10.10.10.233</p> <p><strong>DATE</strong> : 24/07/2021</p> <hr> <h2 id="matriz-de-la-maquina">Matriz de la maquina</h2> <p>Esta matriz nos muestra las características de explotación de la maquina.</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/armageddon/matrix.png"></p> <h2 id="reconocimiento">Reconocimiento</h2> <p>Primero hacemos un escaneo de puertos para saber cuales están abiertos y conocer sus servicios correspondientes.</p> <h2 id="nmap">Nmap</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>s4yhii㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -p22,80 -sC -sV -n 10.10.10.233 </span></span><span class="line"><span class="cl">Starting Nmap 7.91 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2021-06-16 05:46 EDT </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.10.233 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.11s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 7.4 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.6 <span class="o">((</span>CentOS<span class="o">)</span> PHP/5.4.16<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: Drupal <span class="m">7</span> <span class="o">(</span>http://drupal.org<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">36</span> disallowed entries <span class="o">(</span><span class="m">15</span> shown<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> /includes/ /misc/ /modules/ /profiles/ /scripts/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt </span></span><span class="line"><span class="cl"><span class="p">|</span>_/LICENSE.txt /MAINTAINERS.txt </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.6 <span class="o">(</span>CentOS<span class="o">)</span> PHP/5.4.16 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Welcome to Armageddon <span class="p">|</span> Armageddon </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 12.12 seconds </span></span></code></pre></div><p>Como podemos obervar tenemos 2 puertos abiertos, el 80 con el servicio http y el 22 ssh, como vemos cuenta con el archivo robots.txt y otros más interesantes, procederemos a inspeccionar en la web.</p>