Sorcery HTB Writeup | HacktheBox | Season 8

Objective

Document the penetration test on sorcery.htb, focusing on network scanning, repository access, password manipulation, and reverse shell establishment.

Steps Executed

1. Network Scan

Scanned $IP with Nmap:

nmap -sC -sV $IP

Findings: Identified HTTP and Git services. through dirb

2. Hosts Configuration

Added domains to /etc/hosts:

echo "IP environmental.htb sorcery.htb git.sorcery.htb" | sudo tee -a /etc/hosts

3. Git Repository Clone

Cloned repository with SSL verification disabled:

export GIT_SSL_NO_VERIFY=true
git clone https://git.sorcery.htb/nicole_sullivan/infrastructure.git

4. Git Inspection

Inspected Git objects:

git cat-file -p acb753d
git show b94fe501dfe6470cf77a639d54c0d2178588ad71

Findings: Retrieved sensitive configurations.

5. Password Hash

Generated Argon2id hash for P@ssw0rd123:

echo -n "P@ssw0rd123" | argon2 somesalt -id -t 2 -m 15 -p 1

Output: $argon2id$v=19$m=32768,t=2,p=1$c29tZXNhbHQ$TwnvITHeonF5W7P/GQH0sLr+yntWG4LeIZkd7sNFxwE

Access is restricted by HackTheBox rules#

The solution to the problem can be published in the public domain after her retirement.

Look for a non-public solution to the problem in the telegram channel .