Awkward
Awkward walkthrough
Scan Details.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 7254afbaf6e2835941b7cd611c2f418b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCMaN1wQtPg5uk2w3xD0d0ND6JQgzw40PoqCSBDGB7Q0/f5lQSGU2eSTw4uCdL99hdM/+Uv84ffp2tNkCXyV8l8=
| 256 59365bba3c7821e326b37d23605aec38 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsq9sSC1uhq5CBWylh+yiC7jz4tuegMj/4FVTp6bzZy
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Two ports are open checking port 80 we are presented with a site hat-valley.htb

Burp Fuzzing
Checking the site out with burp the site we find a few directories to look into notably hr and api.

Subdomain Fuzzing
Fuzzing for subdomain we get one domain.

HR Directory
Accessing the /hr site we are presented with a login screen.

Trying default creds don't work, so checking the cookie we see it's set to guest manipulating it to admin we get access to the dashboard.

Checking out the leave requet section we identify a user named christine.
API Directory.
Checking the api directory from burp results /api/staff-details seems interesting, loading it up on repeater and trying to access it with the cookie admin we get a jwt malformed error setting the cookie to empty it displays some staff credentials.
Last updated