HTB - Pit
Basic Nmap TCP scan
Nmap command: nmap -Pn -n -sC -sV -oA scan_boxs/pit/nmap/10.10.10.241-d-scan 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.69s latency).
Not shown: 918 filtered tcp ports (no-response), 79 filtered tcp ports (host-unreach)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 6fc3408f6950695a57d79c4e7b1b9496 (RSA)
| 256 c26ff8aba12083d160abcf632dc865b7 (ECDSA)
|_ 256 6b656ca692e5cc76175a2f9ae750c350 (ED25519)
80/tcp open http nginx 1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
|_http-server-header: nginx/1.14.1
9090/tcp open ssl/zeus-admin?
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after: 2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
Open TCP ports : 22,80,9090
| PORT | SERVICE | PRODUCT | VERSION | EXTRAINFO |
|---|---|---|---|---|
| 22 | ssh | OpenSSH | 8.0 | protocol 2.0 |
| 80 | http | nginx | 1.14.1 | |
| 9090 | zeus-admin |
Nmap UDP scan - Top 200
Scanning for UDP ports as well:
Nmap command: nmap -Pn -n -sU -A --top-ports 200 -oA scan_boxs/pit/nmap/pit-UDP-200-scan 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.45s latency).
Not shown: 199 filtered udp ports (admin-prohibited)
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-processes:
| 1:
| Name: systemd
| 2:
| Name: kthreadd
| 3:
| Name: rcu_gp
| 4:
| Name: rcu_par_gp
| 6:
| Name: kworker/0:0H-events_highpri
| 9:
| Name: mm_percpu_wq
| 10:
| Name: ksoftirqd/0
| 11:
| Name: rcu_sched
| 12:
| Name: migration/0
| 13:
| Name: watchdog/0
| 14:
| Name: cpuhp/0
| 15:
| Name: cpuhp/1
| 16:
| Name: watchdog/1
| 17:
| Name: migration/1
| 18:
| Name: ksoftirqd/1
| 20:
| Name: kworker/1:0H-events_highpri
| 23:
| Name: kdevtmpfs
| 24:
| Name: netns
| 25:
| Name: kauditd
| 26:
| Name: khungtaskd
| 27:
| Name: oom_reaper
| 28:
| Name: writeback
| 29:
| Name: kcompactd0
| 30:
| Name: ksmd
| 31:
| Name: khugepaged
| 32:
| Name: crypto
| 33:
| Name: kintegrityd
| 34:
| Name: kblockd
| 35:
| Name: blkcg_punt_bio
| 36:
| Name: tpm_dev_wq
| 37:
| Name: md
| 38:
| Name: edac-poller
| 39:
| Name: watchdogd
| 40:
| Name: kworker/0:1H-kblockd
| 67:
| Name: kswapd0
| 160:
| Name: kthrotld
| 161:
| Name: irq/24-pciehp
| 162:
| Name: irq/25-pciehp
| 163:
| Name: irq/26-pciehp
| 164:
| Name: irq/27-pciehp
| 165:
| Name: irq/28-pciehp
| 166:
| Name: irq/29-pciehp
| 167:
| Name: irq/30-pciehp
| 168:
| Name: irq/31-pciehp
| 169:
| Name: irq/32-pciehp
| 170:
| Name: irq/33-pciehp
| 171:
| Name: irq/34-pciehp
| 172:
| Name: irq/35-pciehp
| 173:
| Name: irq/36-pciehp
| 174:
| Name: irq/37-pciehp
| 175:
| Name: irq/38-pciehp
| 176:
| Name: irq/39-pciehp
| 177:
| Name: irq/40-pciehp
| 178:
| Name: irq/41-pciehp
| 179:
| Name: irq/42-pciehp
| 180:
| Name: irq/43-pciehp
| 181:
| Name: irq/44-pciehp
| 182:
| Name: irq/45-pciehp
| 183:
| Name: irq/46-pciehp
| 184:
| Name: irq/47-pciehp
| 185:
| Name: irq/48-pciehp
| 186:
| Name: irq/49-pciehp
| 187:
| Name: irq/50-pciehp
| 188:
| Name: irq/51-pciehp
| 189:
| Name: irq/52-pciehp
| 190:
| Name: irq/53-pciehp
| 191:
| Name: irq/54-pciehp
| 192:
| Name: irq/55-pciehp
| 194:
| Name: acpi_thermal_pm
| 195:
| Name: kmpath_rdacd
| 196:
| Name: kaluad
| 198:
| Name: ipv6_addrconf
| 199:
| Name: kworker/1:1H-kblockd
| 200:
| Name: kstrp
| 522:
| Name: ata_sff
| 524:
| Name: scsi_eh_0
| 525:
| Name: scsi_tmf_0
| 526:
| Name: scsi_eh_1
| 527:
| Name: scsi_eh_2
| 528:
| Name: mpt_poll_0
| 529:
| Name: scsi_tmf_1
| 530:
| Name: mpt/0
| 531:
| Name: scsi_eh_3
| 532:
| Name: scsi_tmf_2
| 533:
| Name: scsi_tmf_3
| 535:
| Name: scsi_eh_4
| 536:
| Name: scsi_tmf_4
| 537:
| Name: scsi_eh_5
| 538:
| Name: scsi_tmf_5
| 539:
| Name: scsi_eh_6
| 540:
| Name: scsi_tmf_6
| 541:
| Name: scsi_eh_7
| 542:
| Name: scsi_tmf_7
| 543:
| Name: scsi_eh_8
| 544:
| Name: scsi_tmf_8
| 545:
| Name: scsi_eh_9
| 546:
| Name: scsi_tmf_9
| 547:
| Name: scsi_eh_10
| 548:
| Name: scsi_tmf_10
| 549:
| Name: scsi_eh_11
| 550:
| Name: scsi_tmf_11
| 551:
| Name: scsi_eh_12
| 552:
| Name: scsi_tmf_12
| 553:
| Name: scsi_eh_13
| 554:
| Name: scsi_tmf_13
| 555:
| Name: scsi_eh_14
| 556:
| Name: scsi_tmf_14
| 557:
| Name: scsi_eh_15
| 558:
| Name: scsi_tmf_15
| 559:
| Name: scsi_eh_16
| 560:
| Name: scsi_tmf_16
| 561:
| Name: scsi_eh_17
| 562:
| Name: scsi_tmf_17
| 563:
| Name: scsi_eh_18
| 564:
| Name: scsi_tmf_18
| 565:
| Name: scsi_eh_19
| 566:
| Name: irq/16-vmwgfx
| 567:
| Name: scsi_tmf_19
| 568:
| Name: ttm_swap
| 569:
| Name: scsi_eh_20
| 570:
| Name: card0-crtc0
| 571:
| Name: card0-crtc1
| 572:
| Name: scsi_tmf_20
| 573:
| Name: card0-crtc2
| 574:
| Name: scsi_eh_21
| 575:
| Name: scsi_tmf_21
| 576:
| Name: card0-crtc3
| 577:
| Name: card0-crtc4
| 578:
| Name: card0-crtc5
| 579:
| Name: card0-crtc6
| 580:
| Name: card0-crtc7
| 581:
| Name: scsi_eh_22
| 582:
| Name: scsi_tmf_22
| 584:
| Name: scsi_eh_23
| 585:
| Name: scsi_tmf_23
| 588:
| Name: scsi_eh_24
| 591:
| Name: scsi_tmf_24
| 592:
| Name: scsi_eh_25
| 593:
| Name: scsi_tmf_25
| 594:
| Name: scsi_eh_26
| 595:
| Name: scsi_tmf_26
| 596:
| Name: scsi_eh_27
| 597:
| Name: scsi_tmf_27
| 598:
| Name: scsi_eh_28
| 599:
| Name: scsi_tmf_28
| 600:
| Name: scsi_eh_29
| 601:
| Name: scsi_tmf_29
| 602:
| Name: scsi_eh_30
| 603:
| Name: scsi_tmf_30
| 604:
| Name: scsi_eh_31
| 605:
| Name: scsi_tmf_31
| 606:
| Name: scsi_eh_32
| 607:
| Name: scsi_tmf_32
| 686:
| Name: kdmflush
| 694:
| Name: kdmflush
| 720:
| Name: xfsalloc
| 721:
| Name: xfs_mru_cache
| 722:
| Name: xfs-buf/dm-0
| 723:
| Name: xfs-conv/dm-0
| 724:
| Name: xfs-cil/dm-0
| 725:
| Name: xfs-reclaim/dm-
| 726:
| Name: xfs-eofblocks/d
| 727:
| Name: xfs-log/dm-0
| 728:
| Name: xfsaild/dm-0
| 824:
| Name: systemd-journal
| 858:
| Name: systemd-udevd
| 913:
| Name: hwmon0
| 916:
| Name: kdmflush
| 927:
| Name: xfs-buf/dm-2
| 928:
| Name: xfs-conv/dm-2
| 929:
| Name: xfs-cil/dm-2
| 930:
| Name: xfs-reclaim/dm-
| 931:
| Name: xfs-eofblocks/d
| 932:
| Name: xfs-log/dm-2
| 933:
| Name: xfsaild/dm-2
| 946:
| Name: jbd2/sda1-8
| 947:
| Name: ext4-rsv-conver
| 970:
| Name: auditd
| 972:
| Name: sedispatch
| 1004:
| Name: irqbalance
| 1006:
| Name: dbus-daemon
| 1007:
| Name: polkitd
| 1010:
| Name: VGAuthService
| 1011:
| Name: vmtoolsd
| 1012:
| Name: sssd
| 1016:
| Name: chronyd
| 1024:
| Name: rngd
| 1055:
| Name: firewalld
| 1056:
| Name: sssd_be
| 1057:
| Name: sssd_nss
| 1081:
| Name: systemd-logind
| 1082:
| Name: NetworkManager
| 1098:
| Name: tuned
| 1101:
| Name: sshd
| 1120:
| Name: crond
| 1128:
| Name: agetty
| 1185:
| Name: nginx
| 1186:
| Name: nginx
| 1187:
| Name: nginx
| 1198:
| Name: mysqld
| 1482:
| Name: rsyslogd
| 1484:
| Name: snmpd
| 9535:
| Name: kworker/1:2-cgroup_destroy
| 9613:
| Name: kworker/u4:2-events_unbound
| 9728:
| Name: kworker/u4:1-xfs-cil/dm-0
| 10058:
| Name: kworker/1:4-cgroup_pidlist_destroy
| 10067:
| Name: kworker/0:0-events_power_efficient
| 10243:
| Name: kworker/0:1-cgroup_pidlist_destroy
| 10258:
| Name: kworker/0:2-cgroup_destroy
| 10261:
| Name: kworker/1:0-events
| 10364:
| Name: kworker/1:1-cgroup_destroy
| 10381:
| Name: php-fpm
| 10382:
| Name: php-fpm
| 10383:
| Name: php-fpm
| 10384:
| Name: php-fpm
| 10385:
| Name: php-fpm
| 10386:
| Name: php-fpm
| 10391:
| Name: kworker/0:3-events
| 10396:
|_ Name: kworker/1:3-cgroup_pidlist_destroy
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 4ca7e41263c5985e00000000
| snmpEngineBoots: 73
|_ snmpEngineTime: 15h10m51s
| snmp-sysdescr: Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
|_ System uptime: 15h10m51.65s (5465165 timeticks)
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
Service Info: Host: pit.htb
TRACEROUTE (using port 683/udp)
HOP RTT ADDRESS
1 300.74 ms 10.10.14.1
2 414.80 ms 10.10.10.241
Open UDP ports : 161
| PORT | SERVICE | PRODUCT | VERSION | EXTRAINFO |
|---|---|---|---|---|
| 161 | snmp | SNMPv1 server; net-snmp SNMPv3 server | public |
Enum port 80
gobuster didn't comeback with much information
Enum port 9090
Nmap scan reveals that virtual host name dms-pit.htb lets update the host file.
This page reveals another virtual host name pit.htb and once again updating the host file.
gobuster had no success again.
Enum UDP port 161 - snmpwalk
Didn't found much information. Adding dot in the end of the command.
found interesting folder in the var directory /var/www/html/seeddms51x/seeddms
Since the machine has multiple virtual hosts we will try accessing seeddms51x on all the host names pit.htb and dms-pit.htb. We get a 403 Forbidden response on dms-pit.htb
Attempting to access seeddms51x/seeddms has pointed to a webpage.
seeddms
SeedDMS free document management system, based on the url accessed we will assume that SeedDMS could be 5.1.x version. We will enumerate further to confirm version. Lets find the source code if it is accessible.
Downloading the source code from sourceforge.net
Investigating the source
After investigating the source, the hosted machine might have CHANGELOG file in the location dms-pit.htb/seeddms51x/seeddms/CHANGELOG. And we got a response with the file below. From this we can still assume the version could be 5.1.15
--------------------------------------------------------------------------------
Changes in version 5.1.15
--------------------------------------------------------------------------------
- Improved import from file system
- HTTP Proxy for access on external extension repository can be set
- Do not use unzip in ExtensionMgr anymore
- fix version compare on info page
- allow one page mode on search page
- fix import of older extension versions from repository
--------------------------------------------------------------------------------
Changes in version 5.1.14
--------------------------------------------------------------------------------
- allow mimetype to specify documents which can be edited online
- show number of indexing tasks in progress bar
- fix comparison of last indexing time with creation date of document content
- new hooks leftContentPre and leftContentPost
- minimize sql queries when fetching sub folders and documents of a folder
- custom attributes can be validated in a hook
- document attributes comment, keywords, categories, expiration date, and sequence
can be turned off in the configuration
- workflows can be turned off completely
- Extension can be enabled/disabled in the extension manager, the previously
used method by setting a parameter in the extension's config file will no
longer work.
- clean up code for managing extensions
- fix renaming of folders via webdav
- fix list of expired documents on MyDocuments page
- pass showtree to ViewDocument (Closes: #462)
- fix upgrade script for sqlite3
Even though we found the version, we couldn't find any exploit to work work with. Time to enumerate further. Investigating snmpwalk output to find any tangible information.