📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Webserver
  • Exploit
  • Privilege Escalation
  • Pivoting
  • Privilege Escalation 2

Was this helpful?

  1. TryHackMe
  2. Walkthroughs: Easy

Erit Securus 1

PreviousBoltNextCC: Pentesting

Last updated 3 years ago

Was this helpful?

Reconnaissance

Lets run nmap scan to find open ports and services

Webserver

Lets visit the site

Looking through the site, we can see what the page was built with

Exploit

Lets look at the exploit the room gave us

Lets download this to our machine and make the exploit file a executable

Now , lets look at the exploit

Looking at the exploit, it looks like we need to supply a username and a password. First we need to find the login page to see if we can try some default usernames and passwords to login.

Lets go to google and try to find where the login page is located on Bolt CMS.

Lets go to /bolt

We have a login page. Lets try logging in with default usernames and passwords.

After trying different credentials, I found the right ones

Username: admin

Password: password

Now that we know the username and the password, we can run the exploit.

Now we will create a simple php-shell on the server so that we can run commands on the server as netcat is not allowed on the server and so uploading this shell, we can run a netcat reverse shell to get a shell on the server.

We can follow these steps, but there is an easier way to do this, first we run the exploit and then put in a python reverse shell which will give us a shell on the machine

So first we start a netcat listener

Next we run the exploit

Now we run a python reverse shell

And we have a reverse shell

Lets stabilize the shell

We are logged in a as www-data

Privilege Escalation

Lets follow these steps, lets find the file

Lets access this file with Sqlite3 and check its contents

Lets copy the password hash for the user wildone and crack it using John The Ripper. Lets save the hash in a file called hash.

Lets now crack it

Lets switch users to wileec

We can read the first flag

Pivoting

Lets check the id_rsa file.

Lets save the private key on our machine in a file called id_rsa and then lets give it permissions and login through ssh.

You can use the same python command to get a good shell.

We can now run sudo, so lets run sudo -l to see what we can run as other users

Lets go to GTFOBins to find the command to switch users to jsmith.

Lets run these commands and switch users to jsmith

Privilege Escalation 2

Lets run sudo -l to see what we can execute as other users and use the command to privesc to root.

We are now root. We can read the root flag