Hack the Box (HTB) Machines Walkthrough Series- October

Today, we will be continuing with our series on Hack the Box machine walkthroughs. This article contains a walkthrough for an HTB machine named “October.”

HTB is an excellent platform that hosts machines belonging to multiple OSes. It offers multiple types of challenges as well. The individual can download the VPN pack to connect to the machines hosted on the HTB platform and has to solve the puzzle (simple enumeration plus pentest) in order to log into the platform.

Note: Only writeups of retired HTB machines are allowed. The machine in this article, October, is retired.

Walkthrough

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The October machine IP is 10.10.10.16.

3. We will adopt the same methodology of performing penetration testing as we have used before. Let’s start with enumeration in order to gain as much information about the machine as possible.

4. Below are the nmap scan results. Here we can see that only port 80 and 22 are open. [CLICK IMAGES TO ENLARGE]
<<nmap -sC -sV october 10.10.10.16>>

5. Let’s start by enumerating port 80, which gets us the below page. As you can see, the portal is backed by the October CMS.

6. Looking into known OctoberCMS exploits, we got a few hits. None of them were really interesting, but we can look into them later if we hit a wall.
<<searchsploit october>>

7. Since there is nothing much we can do, let’s start brute-forcing directories with gobuster. Below, you can see that there are some hits with interesting directories.
<<gobuster -u http://10.10.10.16 -w /usr/sare/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20>>

8. Looking into the Backend directory, we have a login (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Security Ninja. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/mwAAbXMgvnY/