Erit Securus 1

Reconnaissance

Lets run nmap scan to find open ports and services

Webserver

Lets visit the site

Looking through the site, we can see what the page was built with

Exploit

Lets look at the exploit the room gave us

Lets download this to our machine and make the exploit file a executable

Now , lets look at the exploit

Looking at the exploit, it looks like we need to supply a username and a password. First we need to find the login page to see if we can try some default usernames and passwords to login.

Lets go to google and try to find where the login page is located on Bolt CMS.

Lets go to /bolt

We have a login page. Lets try logging in with default usernames and passwords.

After trying different credentials, I found the right ones

Username: admin

Password: password

Now that we know the username and the password, we can run the exploit.

Now we will create a simple php-shell on the server so that we can run commands on the server as netcat is not allowed on the server and so uploading this shell, we can run a netcat reverse shell to get a shell on the server.

We can follow these steps, but there is an easier way to do this, first we run the exploit and then put in a python reverse shell which will give us a shell on the machine

So first we start a netcat listener

Next we run the exploit

Now we run a python reverse shell

And we have a reverse shell

Lets stabilize the shell

We are logged in a as www-data

Privilege Escalation

Lets follow these steps, lets find the file

Lets access this file with Sqlite3 and check its contents

Lets copy the password hash for the user wildone and crack it using John The Ripper. Lets save the hash in a file called hash.

Lets now crack it

Lets switch users to wileec

We can read the first flag

Pivoting

Lets check the id_rsa file.

Lets save the private key on our machine in a file called id_rsa and then lets give it permissions and login through ssh.

You can use the same python command to get a good shell.

We can now run sudo, so lets run sudo -l to see what we can run as other users

Lets go to GTFOBins to find the command to switch users to jsmith.

Lets run these commands and switch users to jsmith

Privilege Escalation 2

Lets run sudo -l to see what we can execute as other users and use the command to privesc to root.

We are now root. We can read the root flag

Last updated