HackTheBox

Reconnaissance & Enumeration Running simple nmap command: nmap -v -sV <MACHINE_IP> Two simple http and ssh services. Access to the website http://facts.htb. After an amount of time of enumeration, I found an /admin/login where I check the source and found the technology behind the app: Camaleon CMS. Found a CVE that we can leverage of it: CVE-2024-46987: a Path Traversal bug in Camaleon CMS 2.8.0 < 2.8.2 (work on 2.9.0). It allows authenticated users to read sensitive server files via the MediaController. Intended for authorized security auditing and educational research only. github.com/Goultarde/CVE-2024-46987 ...

Reconnaissance & Enumeration Doing simple nmap command: nmap -v -sV <MACHINE_IP> The server has 2 ports http and ssh, visit the website I couldn’t get anything useful the only thing is I found 3 leadership users, which may be used to gain access through ssh: I brute-force the domain in order to see I got anything useful: ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://silentium.htb -H "Host: FUZZ.silentium.htb" -fs 8753 > result.txt cat result.txt | grep "Status: 200" ...