HTB : SecNotes

Network Enumeration

To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.

WEB Enumeration

Run a gobuster scan to find for hidden directories.

Port 8808

Port 80

Tried SQLi on the login page but there wasn’t any success. Decided to create an account to look through the system.

After some trial and error exploring the “Change Password” and “Contact Us” page, I decided to try SQL injections on the sign up page.

Use the following payload = test' or 1=1-- -

And we get access.

We find the tyler account and the password.
tyler / 92g!mA8BGjOirkL%OG*&

Initial Foothold

SMB Enumenration

Let’s try enumerating SMB with the new creds.

We get read and write access to the new site.

Access the share and we can see that the new site is same on port 8808.

We can see the site utilizes the PHP language.

Create a PHP webshell with the following script.

<?php system($_REQUEST['cmd']); ?>

Execute the URL with the webshell commands.

And we get a shell.

We can find the user.txt in the desktop.

Elevate privilege

While exploring the machine we come across the distro folder with ubuntu inside. This suggests that this machine is running the WSL , Windows sub system for Linux.

Let search for the wsl.exe and bash.exe to confirm.

Once we find the file, lets execute it and we get a linux root shell.

We can look at the bash history to find the admin creds.

We can either login via SMB to get the root.txt or use psexec to spawn a shell.

The root.txt flag is in the desktop.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



Create a website or blog at

%d bloggers like this: