Team
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a file called nmap
Enumeration
Lets visit the site.
Its the default Apache2 page, lets at the source code.
It is telling us to add team.thm to our hosts, lets do that.
Now lets visit the page.
Its a well made website, lets run gobuster to find hidden directories
Looks like we found few directories, lets run another gobuster scan on the scripts directory as it looks like it contains more content
Lets also look at the robots.txt page as we sometimes find some interesting information there.
Looks like a username.
Lets now explore the assets directory
We are not allowed.
Lets check the script directory
We are not allowed again.
We are allowed to access the images directory but there is nothing interesting there. We got our gobuster results back
Lets visit this page.
The note in the end tells that the extension of the old script has been changed, so lets go find it.
Lets download the file and read it
Now we have the username and the password, lets login through ftp
We are logged in, lets look at the files
We have quite a few directories, lets first go to workshare and get the contents in it.
Now lets go to the .ssh folder and get its contents
I looked at the directories and there was either nothing or was a dead end.
Now lets read the files that we transferred to our machine
Looks like there is another website on the web server, and we should be able to access using dev in the URL so lets add it to our hosts file and visit the site.
There is nothing in the source code so lets click the link
It takes us to a different URL. And this to me screams LFI, so lets try testing some LFI payloads against it.
Exploitation
First lets capture the request with Burp Suite and send it to repeater so that we can try different payloads without having to request again and again.
Now that we have the request lets experiment. Lets first look for the /etc/passwd file and see if we can read it.
Oh, we can , looking back at the note we found in the ftp server, there should be a id_rsa file in a config file, to find this lets do some LFI Fuzzing. First we need to send the request to Intruder. (Ctrl + i) Now go to the Positions tab and leave it as it is.
Now go to the Payloads tab and lets load in a wordlists to find files. The wordlists I am going to use is this.
This can be found here on your machine
/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
Click on the load option and look for the file and then hit load, it should look like this.
Now hit start attack on the top, looking at the results, one file looks very interesting.
Lets visit this page.
Looks like we have ssh private key, lets copy this and ssh into the machine, we also have the username so its perfect. I'm calling the file id_rsa
Now we have to remove all the # symbols in the file and then change the permissions of the file
Now lets login.
We are logged in , lets read the user.txt
Privilege Escalation
Lets use sudo -l to see what we can run as other users.
Lets look at this file
Looking at the script, there are few places where we can inject system commands on the script. Lets inject the error variable as the variable is directly passed to a system called.
We are now the user gyles. Lets look at gyles directory.
The .bash_history is a interesting file, lets read it.
It looks like they were changing the contents of this file, lets look at this file
The file is also owned by root so lets change the content of the file using nano
Now save and exit with Ctrl + O and Ctrl + R. Lets now start a netcat listener
And after a while, we get a shell as root
Last updated
