[macavitysworld]

• sqlpad template injection to rce to get access on docker
  
• Crack hash for user found in shadow file
  
• Get user flag
  
• admin.sightless.htb running on 8080
  
• Portforward to access the vhost
  
• Intended (xss to get credentials)
  
• (Unintended) use metasploit chrome debugger to read /home/John/automation/administration.py for credentials
  
• (Again unintended) Portforward all the larger ports, chrome debugging and check the network, if session is preserved you'll get the credentials
  
• For root; reset ftp creds, login and find database.kbd, crack the password and find ssh keys
  
• Or you can use php-fpm to read root.text or to get shell
  

[marco1337]

thanks mate, great help

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[WhiteWolf666]

• sqlpad template injection to rce to get access on docker
  
• Crack hash for user found in shadow file
  
• Get user flag
  
• admin.sightless.htb running on 8080
  
• Portforward to access the vhost
  
• Intended (xss to get credentials)
  
• (Unintended) use metasploit chrome debugger to read /home/John/automation/administration.py for credentials
  
• (Again unintended) Portforward all the larger ports, chrome debugging and check the network, if session is preserved you'll get the credentials
  
• For root; reset ftp creds, login and find database.kbd, crack the password and find ssh keys
  
• Or you can use php-fpm to read root.text or to get shell
  

For the mestasploit debugger, i get an error 404 not found, even tought froxlor is accessible with broswer on port 4445; for the xss, i guess its the one who require admin browsing in a specific place, but it seem to never happens. Could you help me?

[DeDeLaPouille]

• sqlpad template injection to rce to get access on docker
  
• Crack hash for user found in shadow file
  
• Get user flag
  
• admin.sightless.htb running on 8080
  
• Portforward to access the vhost
  
• Intended (xss to get credentials)
  
• (Unintended) use metasploit chrome debugger to read /home/John/automation/administration.py for credentials
  
• (Again unintended) Portforward all the larger ports, chrome debugging and check the network, if session is preserved you'll get the credentials
  
• For root; reset ftp creds, login and find database.kbd, crack the password and find ssh keys
  
• Or you can use php-fpm to read root.text or to get shell
  

Thanks for the tips, very usefull !!

[Detector6]

Great tips. Hash was hard to format. Any examples on hashcat or john?

---

Great tips. Hash was hard to format. Any examples on hashcat or john?

hashcat -m1800 -a 0 shadow /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

[arturspro4]

• sqlpad template injection to rce to get access on docker
  
• Crack hash for user found in shadow file
  
• Get user flag
  
• admin.sightless.htb running on 8080
  
• Portforward to access the vhost
  
• Intended (xss to get credentials)
  
• (Unintended) use metasploit chrome debugger to read /home/John/automation/administration.py for credentials
  
• (Again unintended) Portforward all the larger ports, chrome debugging and check the network, if session is preserved you'll get the credentials
  
• For root; reset ftp creds, login and find database.kbd, crack the password and find ssh keys
  
• Or you can use php-fpm to read root.text or to get shell
  

hi there im new to HTB and im learning still just a quick question how do i find admin.sightless.htb that is running on 8080 i tried fuzz/gobuster etc but i seem to not find admin and how do i discover that there is something running on port 8080 if someone could be give me tips of finding them thank you.



NVM: i went ugaa bungaa i forgot what i can do with those