On 3000, there’s an instance of Rocket Chat:
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_talkative_htb-1661184777.state. 🏁 Press to use the Scan Management Menu™ 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt I’ll run wfuzz to look for any subdomains, but it doesn’t find feroxbuster -u -x php
Nmap shows that on 80, there’s a redirect to. Tornado is a Python-based web framework designed to work within the Python asynchronous methods. Based on the Apache version, the host is likely running Ubuntu 22.04 jammy. There’s one Apache (80), three Tornado (8080, 80801, and 8082), and something that looks HTTP-ish on 3000. Nmap done: 1 IP address (1 host up) scanned in 20.73 seconds If you know the service/version, please submit the following fingerprint at : | 
There I’ll find creds for the Bolt CMS instance, and use those to log into the admin panel and edit a template to get code execution in the next container. I’ll start by abusing the built-in R scripter in jamovi to get execution and shell in a docker container. Talkative is about hacking a communications platform.
0 kommentar(er)
