It suggests messaging the administrative staff to get on the waiting list. It talks about receiving a Game-Key, which I obviously don’t have yet. Once logged in, there are a handful more pages to view. The registration link ( /register) presents another form: Trying to guess some easy passwords for just returns errors: There’s an email address, There’s also a links to login and to register for the early access beta. The HTTPS site doesn’t return anything interesting, but the HTTP site does: Given that I have a domain name, I’ll brute force for subdomains using wfuzz. There’s a domain name in the TLS certificate on 443, earlyaccess.htb. Nmap done: 1 IP address (1 host up) scanned in 19.98 secondsīased on the OpenSSH and Apache versions, the host is likely running Debian 10 Buster. Service Info: Host: 172.18.0.102 OS: Linux CPE: cpe:/o:linux:linux_kernel |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=earlyaccess.htb/organizationName=EarlyAccess Studios/stateOrProvinceName=Vienna/countryName=AT |_http-title: Did not follow redirect to Ĥ43/tcp open ssl/http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) Nmap scan report for earlyaccess.htb (10.10.11.110) Nmap finds three open TCP ports, SSH (22), HTTP (80), and HTTPS nmap -p-min-rate 10000 -oA scans/nmap-alltcp 10.10.11.110 In Beyond root, looking at a couple unintended paths. Finally, I’ll abuse capabilities on arp to get read as root, the flag, and the root SSH key. From there its back into another docker container, where I’ll crash the container to get execution and shell as root, getting access to the shadow file and a password for the host. I’ll abuse an API to leak another password to get onto the host. From the dev site I’ll find a command injection to get a shell in the website’s docker container. ![]() I’ll need multiple exploits including XSS and second order SQLI to get admin on the signup site, abuse that to move the the game site, and from there to the dev site. It’s the box of a game company, with fantastic marketing on their front page for a game that turns out to be snake. When it comes to telling a story, EarlyAccess might be my favorite box on HackTheBox.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |