Read my write-up to Mentor machine on:
TL;DR
User: Using snmpwalk
, we were able to find password. We then discovered the virtual host api.mentorquotes.htb
, which contained Swagger documentation. With the password we found using snmpwalk
, we accessed the /admin/backup
API as the user james
. We found a command injection vulnerability on /admin/backup
. Using this vulnerability, we were able to gain a reverse shell as root
to the container. We created a TCP tunnel using chisel
to access PostgreSQL
and found the password for the svc
user in the users table.
Root: We found the password for the james
user in /etc/snmp/snmp.conf
. We then ran /bin/sh
as root and were able to obtain the root
flag.