HTB MyIP Walkthrough: Complete Capture-the-Flag Guide

HTB MyIP Walkthrough: Complete Capture-the-Flag Guide

Overview

A concise, step‑by‑step walkthrough to compromise the HTB “MyIP” box from initial enumeration through user and root flags. Assumes common HTB lab setup and basic pentest tooling (nmap, curl, gobuster, ssh, common linx utilities).

1) Recon & Enumeration

• Network scan: TCP/UDP port discovery (nmap -sC -sV -p-).
• Web discovery: Visit web root, check robots.txt, run directory brute force (gobuster/ffuf).
• Service probing: Banner grabs, version IDs; test for common apps (CMS, admin panels, APIs).
• Credentials leak checks: Look for exposed config files, backup files, .git, or uploaded logs.

2) Initial Access

• Web exploits: Test found endpoints for SQLi, RCE, LFI/RFI, file upload flaws. Use manual requests and lightweight scripts rather than noisy automations.
• Authentication vectors: Try default credentials, common users, or creds leaked in discovered config/database files.
• Attained shell: If webshell or SSH creds obtained, spawn an interactive shell (python -c ‘import pty; pty.spawn(“/bin/bash”)’).

3) Privilege Escalation (user → root)

• Local enumeration: Gather OS info, kernel, sudoers, setuid binaries, running services, cron jobs, and writable directories.
• Package/config checks: Look for misconfigured services, world-writable scripts, backup credentials, or files in /etc.
• Common escalations: Exploit writable /usr/local paths, sudo misconfigurations, weak cron scripts, kernel exploits only if box difficulty implies.
• Exploit safely: Prefer local misconfiguration exploits (path hijacking, abusing group memberships) over destructive kernel exploits.

4) Post‑Exploitation & Cleanup

• Capture flags: Read user and root flag files and record proof.
• Persistence (lab only): Document potential persistence mechanisms for learning — do not deploy outside lab.
• Notes: Save commands, payloads, and timelines for a full writeup.

5) Reporting Checklist

• Target summary (open ports, services, versions)
• Initial access vector and exact requests/payloads used
• Shell evidence (non-sensitive screenshots/command outputs)
• Privilege escalation steps and justification
• Remediation recommendations (patching, config hardening, least privilege)

Quick Tool/Command Cheatsheet

• nmap: nmap -p- –min-rate=10000 -oA nmap_all
• web brute: gobuster dir -u http:/// -w /usr/share/wordlists/dirb/common.txt
• basic shell spawn: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
• file transfer: python3 -m http.server /tmp (on attacker) + wget/curl on target

If you want, I can produce a full step‑by‑step writeup with exact commands and example output for a specific MyIP box IP — tell me to proceed.