Hack The Box — Networked: Walkthrough (without Metasploit)

David Tse
8 min readFeb 23, 2021

Reconnaissance

Run nmap to scan the target.

# Nmap 7.91 scan initiated Mon Feb 22 22:01:04 2021 as: nmap -sC -sV -Pn -O -A -T4 -oN nmap.txt 10.10.10.146
Nmap scan report for 10.10.10.146
Host is up (0.045s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https
Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 5.1 (92%), Linux 3.2 - 4.9 (91%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 4.10 (90%), Linux 4.2 (90%), Linux 4.4 (90%), Asus RT-AC66U WAP (90%), Linux 3.10 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hopsTRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   45.35 ms 10.10.14.1
2   47.92 ms 10.10.10.146OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 22 22:01:24 2021 -- 1 IP address (1 host up) scanned in 20.29 seconds

Enumeration

Start enumeration at port 80 and the following text is shown in the browser.

Look at the source code and observe an interesting comment.

The comment might give a hint of hidden pages so do some directory scan with gobuster. Since the nmap report reveals that this is an Apache Server, the possible file extensions could be .php, .html and .txt.

$ gobuster dir -u http://10.10.10.146 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -o gobuster.txt

And the scanning result is as follow, some interesting paths are in bold.

/.hta (Status: 403)
/.hta.php (Status: 403)
/.hta.html (Status: 403)
/.hta.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status…
David Tse

Written by David Tse

72 Followers

Cyber Security Enthusiast | OSCP | OSWE

More from David Tse

Recommended from Medium

Lists

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101