Writeup on nquangit - Pentester

HTB Editor

nquang.it.04@gmail.com (nquangit) — Tue, 05 Aug 2025 01:00:00 +0700

HTB Editor

Author: nquangit(nquang.it.04@gmail.com)

Editor 2nd Aug 2025 Difficulty: Easy Machine Author(s): kavigihan & TheCyberGeek Successfully Pwned Editor nquangit has successfully completed and pwned this machine on Hack The Box. Hack The Box Machine Information None. Enumeration Every journey begins with a single step, and every attack starts by gathering as much information as possible about the target. As the ancient maxim goes, “Know your enemy and know yourself, and in a hundred battles you will never be defeated.

Published on 2025-08-05 at nquangit - Pentester, last modified on 2025-08-05

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!

HTB Era

nquang.it.04@gmail.com (nquangit) — Sun, 03 Aug 2025 01:00:00 +0700

HTB Era

Author: nquangit(nquang.it.04@gmail.com)

Era 26th Jul 2025 Difficulty: Medium Machine Author(s): yurivich Successfully Pwned Era nquangit has successfully completed and pwned this machine on Hack The Box. Hack The Box Machine Information None. Enumeration Enumeration is the first step in our journey to pwn the machine. We will start with some scans to identify potential vulnerabilities and then proceed with manual inspection of the application. Nmap Scan # Nmap 7.95 scan initiated Sat Aug 2 13:42:39 2025 as: /usr/lib/nmap/nmap --privileged -F -vv -sV -sC -Pn -oN nmap.

Published on 2025-08-03 at nquangit - Pentester, last modified on 2025-08-03

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!

CitiSmart

nquang.it.04@gmail.com (nquangit) — Wed, 30 Jul 2025 01:00:00 +0700

CitiSmart

Author: nquangit(nquang.it.04@gmail.com)

CitiSmart 19th Jul 2025 Difficulty: EASY Challenge Author(s): lordrukie Successfully Pwned CitiSmart nquangit has successfully completed and pwned this challenge on Hack The Box. Hack The Box Description Citismart is an innovative Smart City monitoring platform aimed at detecting anomalies in public sector operations. We invite you to explore the application for any potential vulnerabilities and uncover the hidden flag within its depths. Enumeration Application Manual Inspection Always my first step is to manually inspect the application with a browser through BurpSuite for capturing requests, responses and activities.

Published on 2025-07-30 at nquangit - Pentester, last modified on 2025-07-30

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!

NeoVault

nquang.it.04@gmail.com (nquangit) — Mon, 28 Jul 2025 01:00:00 +0700

NeoVault

Author: nquangit(nquang.it.04@gmail.com)

NeoVault 19th Jul 2025 Difficulty: VERY EASY Challenge Author(s): lordrukie Successfully Pwned NeoVault nquangit has successfully completed and pwned this challenge on Hack The Box. Hack The Box Description Neovault is a trusted banking app for fund transfers and downloading transaction history. You’re invited to explore the app, find potential vulnerabilities, and uncover the hidden flag within. Solution Enumeration Enumeration is the first step in our journey to find the flag.

Published on 2025-07-28 at nquangit - Pentester, last modified on 2025-07-28

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!

Outbound

nquang.it.04@gmail.com (nquangit) — Sun, 27 Jul 2025 01:00:00 +0700

Outbound

Author: nquangit(nquang.it.04@gmail.com)

Outbound

12^th Jul 2025

Difficulty: Easy

Machine Author(s): TheCyberGeek

Successfully Pwned Outbound

nquangit has successfully completed and pwned this machine on Hack The Box.

Machine Information

As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2

Enumeration

nmap Scan

# Nmap 7.95 scan initiated Wed Jul 23 13:39:53 2025 as: /usr/lib/nmap/nmap --privileged -F -vv -sV -sC -Pn -oN nmap-scan.txt 10.10.11.77
Nmap scan report for 10.10.11.77
Host is up, received user-set (0.061s latency).
Scanned at 2025-07-23 13:39:54 +07 for 15s
Not shown: 98 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 62 OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN9Ju3bTZsFozwXY1B2KIlEY4BA+RcNM57w4C5EjOw1QegUUyCJoO4TVOKfzy/9kd3WrPEj/FYKT2agja9/PM44=
|   256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9qI0OvMyp03dAGXR0UPdxw7hjSwMR773Yb9Sne+7vD
80/tcp open  http    syn-ack ttl 62 nginx 1.24.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://mail.outbound.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 23 13:40:09 2025 -- 1 IP address (1 host up) scanned in 15.39 seconds

With the Nmap scan, we can see that the target machine has two open ports:

22 (SSH) - OpenSSH version 9.6p1
80 (HTTP) - Nginx version 1.24.0

We can also see that the web server redirects to http://mail.outbound.htb/. Then we need to add this domain to our /etc/hosts file:

echo "ip_address mail.outbound.htb" | sudo tee -a /etc/hosts

Nuclei Scan

[CVE-2025-49113:version_check] [http] [critical] http://mail.outbound.htb ["Roundcube Version: 1.6.10"]
[roundcube-log-disclosure] [http] [medium] http://mail.outbound.htb/roundcube/logs/errors.log ["3971"] [roundcube_path="roundcube/logs/errors.log"]
[cookies-without-secure] [javascript] [info] mail.outbound.htb ["roundcube_sessid"]
[waf-detect:nginxgeneric] [http] [info] http://mail.outbound.htb
[ssh-password-auth] [javascript] [info] mail.outbound.htb:22
[ssh-server-enumeration] [javascript] [info] mail.outbound.htb:22 ["SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.12"]
[ssh-sha1-hmac-algo] [javascript] [info] mail.outbound.htb:22
[ssh-auth-methods] [javascript] [info] mail.outbound.htb:22 ["["publickey","password"]"]
[openssh-detect] [tcp] [info] mail.outbound.htb:22 ["SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.12"]
[form-detection] [http] [info] http://mail.outbound.htb
[nginx-version] [http] [info] http://mail.outbound.htb ["nginx/1.24.0"]
[roundcube-webmail-portal] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:strict-transport-security] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:content-security-policy] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:permissions-policy] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:x-content-type-options] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:referrer-policy] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:clear-site-data] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://mail.outbound.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://mail.outbound.htb
[tech-detect:bootstrap] [http] [info] http://mail.outbound.htb
[tech-detect:nginx] [http] [info] http://mail.outbound.htb
[caa-fingerprint] [dns] [info] mail.outbound.htb

In the Nuclei scan results, we can see that the target machine is running Roundcube version 1.6.10, which is vulnerable to CVE-2025-49113. This vulnerability allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

It’s also worth noting that the Nuclei scan found a log file at roundcube/logs/errors.log, which may contain sensitive information.

Manual Inspection

With the provided credentials tyler / LhKL1o9Nm3X2, we can log in to the Roundcube webmail interface at http://mail.outbound.htb/roundcube/. After logging in, we can confirm that the version is indeed 1.6.10 and that it is vulnerable to CVE-2025-49113.

Exploitation

Published on 2025-07-27 at nquangit - Pentester, last modified on 2025-07-27

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!

Web Write Up - GPN CTF 2025

nquang.it.04@gmail.com (nquangit) — Sat, 21 Jun 2025 15:49:52 +0700

Web Write Up - GPN CTF 2025

Author: nquangit(nquang.it.04@gmail.com)

[Image Contest] This challenge isn’t have source code, but it has a web service that allows users to submit images. It’s a simple PHP application, so that the goal might be to submit an PHP shell file that can be executed on the server to read the flag. Challenge Description You have technicians here, making noise, they are not artists because no one has submitted any art yet. Which is exactly what you need to do: submit a banger image and win the flag.

Published on 2025-06-21 at nquangit - Pentester, last modified on 2025-06-21

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!

FIA Cybersus CTF 2025 Web Write up

nquang.it.04@gmail.com (nquangit) — Tue, 10 Jun 2025 05:00:00 -0700

FIA Cybersus CTF 2025 Web Write up

Author: nquangit(nquang.it.04@gmail.com)

NOTE: This will be a brief write-up, so we will get straight to the heart of the matter without going into too much detail. Frontier Guardian Description: Come play and choose a hero to save the galaxy! Explore planets and fight aliens in this exciting space adventure. Author: Kahang First, we will access the application and perform some function - click on some character to find out what the application does.

Published on 2025-06-10 at nquangit - Pentester, last modified on 2025-06-10

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!

FIA Summer CTF Web Write up

nquang.it.04@gmail.com (nquangit) — Sun, 14 May 2023 11:00:00 -0700

FIA Summer CTF Web Write up

Author: nquangit(nquang.it.04@gmail.com)

Still Vulnerable Description: I came across a web app for bookshelves on picoctf2023 that had a security bug, which I managed to fix. However, despite my efforts, my site is still vulnerable and has been hacked. Can you assist me in identifying the vulnerability? 1. Analysis the problem This web application is derived from picoctf2023 and it had a security problem. The author try to fix it but it still vulnerable.

Published on 2023-05-14 at nquangit - Pentester, last modified on 2023-05-14

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!

Technical Entrance Challenge 2022

nquang.it.04@gmail.com (nquangit) — Thu, 09 Feb 2023 11:00:00 -0700

Technical Entrance Challenge 2022

Author: nquangit(nquang.it.04@gmail.com)

Bory Cipher Description: Bory has created his own super secure cipher. To create this masterpiece, he worked lots of hours at the University with his consultant Mr Vignere. His mentor give him the advice. Mix as many as Cipher you known and a little bit magic. That is called “FIA”. At the start, we have a text file BoryCipher.txt with the content: 簴簴簴簴簴簴簴簴

Published on 2023-02-09 at nquangit - Pentester, last modified on 2023-02-09

All articles on this blog are licensed under the BY-NC-SA license agreement unless otherwise stated. Please indicate the source when reprinting!