← Back to blog

Survivor

May 18, 2024 · Hack The Box / Business CTF 2024 boxes

Challenge

  • CTF: HTB Business CTF 2024: The Vault of Hope
  • Name: Survivor
  • Category: Fullpwn
  • Difficulty: Easy
  • Points: 725
  • Description: A critical tool in the fight to reestablish civilisation lies before you. However, this beacon of hope is not without its vulnerabilities; Your mission is not just about survival but securing the digital fortress that holds the key to mankind’s resurgence.

Writeup

Add site to /etc/hosts: survivor.htb

NMAP:

# Nmap 7.94SVN scan initiated Sat May 18 13:08:38 2024 as: /bin/nmap -n -sC -sV -v -p- --min-rate 3000 --stats-every 3m --max-retries 2 --max-scan-delay 20 --script-args "http.useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" -T4 -oA ./scans/20240518_130838_tcpall 10.129.239.76
Warning: 10.129.239.76 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.129.239.76
Host is up (0.018s latency).
Not shown: 64320 closed tcp ports (reset), 1213 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://survivor.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 18 13:08:56 2024 -- 1 IP address (1 host up) scanned in 17.96 seconds

Nuclei:

[caa-fingerprint] [dns] [info] survivor.htb
[nginx-version] [http] [info] http://survivor.htb/ ["nginx/1.18.0"]
[tech-detect:nginx] [http] [info] http://survivor.htb/
[http-missing-security-headers:clear-site-data] [http] [info] http://survivor.htb/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://survivor.htb/
[http-missing-security-headers:strict-transport-security] [http] [info] http://survivor.htb/
[http-missing-security-headers:permissions-policy] [http] [info] http://survivor.htb/
[http-missing-security-headers:x-content-type-options] [http] [info] http://survivor.htb/
[http-missing-security-headers:referrer-policy] [http] [info] http://survivor.htb/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://survivor.htb/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://survivor.htb/
[http-missing-security-headers:content-security-policy] [http] [info] http://survivor.htb/
[http-missing-security-headers:x-frame-options] [http] [info] http://survivor.htb/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://survivor.htb/
[waf-detect:nginxgeneric] [http] [info] http://survivor.htb/
[ssh-auth-methods] [javascript] [info] survivor.htb:22 ["["publickey","password"]"]

Survivor: fullpwn_survivor_1