Hack the Box — Laboratory
8 min readApr 17, 2021
This box was presented at the at the Hack The Box Ottawa January 2021 Meetup by Jon. The presentation has been recorded and will be posted on YouTube.
Let’s get started!
Reconnaissance
Run an nmap scan that scans all ports.
nmap -sC -sV -p- -oA nmap 10.10.10.216We get the following result.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
| 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernelWe have three ports open.
- Port 22: running OpenSSH 8.2p1
- Port 80: running Apache httpd 2.4.41
- Port 443: running Apache httpd 2.4.41
Before we move on to enumeration, let’s make some mental notes about the scan results.
- The OpenSSH version that is running on port 22 is not associated with any critical vulnerabilities, so it’s unlikely that we gain initial access through this port, unless we find credentials.
- Ports 80 & 443 are running web servers. We see that port 80 redirects to port 443. The nmap scan also leaks the hostnames laboratory.htb and git.laboratory.htb. We’ll have to add them to our hosts file. Other than that, since port 80 redirects to port 443, we’ll perform our standard HTTP enumeration techniques on port 443.
Enumeration
Add the hostnames to the /etc/hosts.
10.10.10.216 laboratory.htb git.laboratory.htb