Hello everyone Heath Addams here aka maverick in this week’s retiring machine is tartar sauce which is full of rabbit holes with a rating of 6.2 out of 10 it’s not really the most difficult machine on hack the box but it is a little more complex in my opinion than a 30-point machine either way we’re gonna have to use.
Web exploits this week including remote file inclusion we’re going to do some HR user escalation and finally we’re going to take advantage of a system B timer to get our root flag so let’s take a look.
At what that looks like so let’s start by taking a look at the end map scan here the only thing that came back on nmap is port 80 so we’ve got a web.
Service running that looks like it’s.
Thing I notice here is we’ve got a bunch of web services running we’ve got discharged service here we’ve got monstre of got easy file uploader developmental PHP myadmin ok and we also don’t have any other port.
Now unless there’s ports open on UDP or there’s some sort of port knockin going on it’s very likely that.
We’re gonna have to do some sort of remote code execution and get a shell.
My background I can look at some of these things like PHP myadmin and this monstre and know immediately that there are exploits for.
Is just doing it repeatedly having a lot of.
Experience with these CTF type machines now I will tell you that these are giant rabbit holes I explored these to their depths and they produce nothing a lot.
Of these here are dead ends to begin with.
I’ve sat there and hunted for extra pages and while they might be there I eventually gave up and stopped digging this monstre was one that had a page to start and really.
Didn’t lead anywhere so let’s talk about the use a little bit more but let’s go ahead first I just want to show you what the initial 480 looked like so it’s just this welcome to tartar sauce and you look at it here and it’s just bottle of tartar sauce I mean there’s.
Nothing here if you view the page source again you just get to see the pretty bottle of tartar sauce and then.
Little bit of trolling carry-on nothing to see here so for a tea at least on the the main webpage nothing and like I said I explored all these things here.
All these web services also led to nothing so at my wit’s end I just decided I’m looking at this here right and we see web service so so.
Web services web services okay so what if we do Derb on the web services directory and see if we’re.
Missing something that wasn’t in the robots.
txt because good this is just a giant.
Misdirection right they want us to find these to waste our time here and.
Go down the rabbit hole instead we need to.
Find what we’re really looking for so if we come over to this tab I did run a Derb on the web services.
Directory and something popped up almost immediately which is WP WordPress and we’ve got all kinds of WordPress pages here but we don’t really need to enumerate those that much if.
We look at it we can actually just target this WP.
Here with a specific tool get it in that in a second we can go out to this WordPress page.