Initial Enumeration


Starting off with a typical htb nmap scan:

nmap -AT4 -Pn -p- -v -oN Traceback

We can see ports 22 and 80 are open.


Heading over to the website and inspecting the source, we see a little note from Xh4H who has claimed to have hacked this site, about the best webshells you'll ever need.

According to Xh4H, he has left us a backdoor and we can assume it's a webshell backdoor from his inline comment.

Taking this comment, we paste it word for word in duckduckgo and get a github directory for our first link. Going through some of the files we can see they are definitely webshells.


So we'll clone the entire github repo to /opt/ and write a for loop to check if any of these files are uploaded on the site.

while inside the Web-Shells github directory inside /opt/ we can construct our for loop:

for i in ./*; do echo $i; curl -I$i; done

We get a 200 response from smevk.php, this is our backdoor webshell.