Mentor write-up by evyatar9

Read my write-up to Mentor machine on:


User: Using snmpwalk, we were able to find password. We then discovered the virtual host api.mentorquotes.htb, which contained Swagger documentation. With the password we found using snmpwalk, we accessed the /admin/backup API as the user james. We found a command injection vulnerability on /admin/backup. Using this vulnerability, we were able to gain a reverse shell as root to the container. We created a TCP tunnel using chisel to access PostgreSQL and found the password for the svc user in the users table.

Root: We found the password for the james user in /etc/snmp/snmp.conf. We then ran /bin/sh as root and were able to obtain the root flag.