HTB Sense Write-up

Illusions or firewall, we’ll break ’em all!!

Abstract

This box is all about deep website enumeration and finding the correct CVE. We start off by having very little information about any of the services running in the box, gradually enumerating almost everything and piecing together vital piece of information we finally get a foothold. Funny thing is, the foothold itself is root so no need for lateral-movement and privilege escalation (yeet!)

Enumeration

As always, we start with an nmap scan:

changelog.txt
system-users.txt

Exploitation

Lets try to understand what causes a RCE in the application. I found an amazing explanation here, I’ll explain it here too.

43560.py

Escalation

It is obvious from the ‘#’ symbol that we already have root access:

1337root1337

Conclusion

This box was rather smooth sailing but the amount of brute-forcing the website to find files was huge. This teaches that you should leave no stone unturned while doing an enumeration. Overall a very fun box which helped me construct my thinking power while tackling a box a lot. Was kinda funny that there was no Priv-Esc part. That’s why this box has more root owns than user owns on HTB lol!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store