Usage

Enums

sudo nmap -sS -sC -sV 10.10.11.18                                                                                                                   ─╯
Password:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-03 18:32 +07
Nmap scan report for 10.10.11.18
Host is up (0.28s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
|_  256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.00 seconds

Looking on port 80

Pasted image 20240719165211.png
Looking for any vulnerable version, then i found encore/laravel-admin which is vulnerable to CVE-2023-24249

exploitation

This vulnerable version could be exploited by uploading arbitrary file to avatar image sector.
Pasted image 20240719165825.png

After i got RCE, i used linpeas.sh for any vulnerabilities. Then i got PRIVATE KEY
Pasted image 20240728161005.png