Introduction In the last post, I struggled to complete Ransom - a Medium difficulty HackTheBox lab. While I made some good progress, I feel that it’s slightly above my current skill level. This time I’m trying a mid-difficulty lab within the Easy difficulty tier. Let’s see how it goes!
Enumeration Let’s start with our boilerplate port scan, saved to a custom bash script called port_enum this time (nmap with the -sV and -sC flags set):
Introduction Part 1 of ransom was HARD. With that being said, the only stage I had severe difficulty with was the poorly documented bkcrack tool. Hopefully, I can escalate privileges without peeking at the solutions… let’s do this!
Logging in We are currently at the stage where we have an unzipped copy of a home directory, containing an ssh key.
Inspecting the id_rsa.pub file, we find a username at the end of it:
Introduction I have found writing up these HackTheBox labs immensely satisfying, especially through the medium of a pseudo-private blog in dwo.sh. One surprising benefit is that my aptitude has seemingly grown in a short space of time.
I believe this is because I have a tendency to rush when completing offensive security exercises - writing my thoughts before I execute forces the analytical side of my brain to engage.
With that being said, I am attempting my first ever Medium level lab.
Enumeration To begin the lab, I’m going to open my .bashrc file with vim and assign the target ip (10.129.72.248) to the IP variable, so I can reference it throughout the lab.
With that being done, let’s run a standard nmap scan against the app. The guide references FTP, so I’ll pay particular attention to that:
david@red:~$ nmap -v -sVC $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 11:39 GMT NSE: Loaded 156 scripts for scanning.
Enumeration Let’s start with a simple port scan:
nmap -sC -sV -v 10.129.230.87 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ basic realm=ActiveMQRealm |_http-title: Error 401 Unauthorized |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel I am looking for an ActiveMQ service, which wasn’t revealed by this scan.