[HTB] Unattended — Writeup (OSWE-Prep)

10 min readApr 13, 2021

Unattended was a medium difficulty Linux box. Good learning path for:

  • Nginx off-by-slash Attack
  • SQLi (boolean-based Blind)
  • SQLi → LFI (Abusing Existing <?php include(); ?>)
  • LFI → PHP Session Poisoning → RCE
  • Socket TTY Shell
  • Linux initrd Exploit

Initial Recon


#  nmap -Pn --open -T4 -sV -sC -p- Nmap 7.80 ( https://nmap.org ) at 2021-04-12 12:33 EDT
Nmap scan report for
Host is up (0.078s latency).
Not shown: 65533 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
80/tcp open http nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.nestedflanders.htb/organizationName=Unattended ltd/stateOrProvinceName=IT/countryName=IT
| Not valid before: 2018-12-19T09:43:58
|_Not valid after: 2021-09-13T09:43:58
  • HTTPS (443/TCP) — An SSL certificate tells a domain as www.nestedflanders.htb. I added it to my /etc/hosts and it rendered a default Apache2 page.

Web Directory Enumeration (Gobuster)

As usual, I ran a quick gobuster to see if I could discover more of the interesting files/folders on the web server.

# gobuster dir -u https://www.nestedflanders.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k-k: Ignore the SSL verification
  • /index.php

OSWE | OSCE | OSCP | CREST | Lead Offensive Security Engineer — All about Penetration Test, Red Team, Cloud Security, Web Application Security