kali@kali:~/HTB/jarvis$ nmap -sC -sV -p22,80,64999 -oN jarvis 10.10.10.143
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 09:09 EST
Nmap scan report for 10.10.10.143
Host is up (0.076s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
64999/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
Port 80
Potential Domains:
supersecurehotel.htb
logger.htb
Found PHP login
Looks like we need credentials, I tried logging into phpadmin with default creds, no success.
Potential SQL LFI or RFI
I have attempted LFI but to no avail, attempting SQL we find that it is vulnerable to the sleep command.
