Nmap Scan IP Address: 10.129.149.35 Hostname: analytical.htb Open Ports: 22 (SSH), 80 (HTTP) Reconnaissance Website Enumeration Following the Nmap scan, I navigated to the website hosted on port 80. I discovered a login page and subsequently updated the /etc/hosts file to include both analytical.htb and data.analytical.htb. 127.0.0.1 localhost 127.0.1.1 kali 10.129.149.35 analytical.htb data.analytical.htb Point of Compromise (POC) Upon further inspection, I identified the login page as part of Metabase, a popular open-source data visualization platform.

Nmap Scan Performed a detailed enumeration of the target using Nmap: nmap -sVC -v3 backfire.htb Discovered Ports: 22/tcp - OpenSSH 9.2p1 443/tcp - nginx 1.22.1 with self-signed certificate 8000/tcp - nginx 1.22.1 serving directory listing Initial Access Reconnaissance Browsing to http://backfire.htb:8000/ revealed two files: disable_tls.patch havoc.yaotl disable_tls.patch indicates TLS has been disabled on the Havoc Teamserver WebSocket (port 40056), exposing it for potential exploitation. Havoc C2 SSRF Exploit Using a public exploit for Havoc C2:

Nmap Scan nmap --privileged -sVC -v3 -oA output cap.htb Running a comprehensive Nmap scan (-sVC for service/version detection and default scripts) revealed three open ports: Port 21 (FTP): vsftpd 3.0.3 Port 22 (SSH): OpenSSH 8.2p1 (Ubuntu) Port 80 (HTTP): running behind Gunicorn with a Security Dashboard web app. PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 (Ubuntu) 80/tcp open http Gunicorn (Security Dashboard) With the HTTP service exposed, I proceeded to explore the web application.

Nmap IP: 10.10.11.216 hostname: jupiter.htb Ports: 22,80 Recon Explanation Following the Nmap scan results, I visited the main webpage but found nothing noteworthy. I then ran a subdomain enumeration tool and discovered kiosk.jupiter.htb. Upon visiting this subdomain, it appeared to be an informational page about moons. Next, I attempted to log in to the Grafana instance but was unsuccessful. I captured the web traffic using BurpSuite and, while analyzing the HTTP history, noticed that the application was executing raw PostgreSQL queries.