# Erit Securus 1 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh4QP5CX3zQKMtmh2e%2F-Mdh4a3f2qwTJoLByM2C%2Fimage.png?alt=media\&token=4f42d0af-bf79-4a1b-a541-ff19690fb6eb) ## Reconnaissance Lets run nmap scan to find open ports and services ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh5dAAzhKIvm0EkBba%2F-Mdh5v5ejaQwcUtyaUs3%2Fimage.png?alt=media\&token=3029a253-c5bb-4e4e-bf30-3162cfaa08b4) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh5dAAzhKIvm0EkBba%2F-Mdh6VjtNA09HCB5JU9i%2Fimage.png?alt=media\&token=00ee6a0c-88f8-41b8-b070-e27df93b9a7d) ## Webserver Lets visit the site ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh5dAAzhKIvm0EkBba%2F-Mdh722V4MUnOg7nLEMj%2Fimage.png?alt=media\&token=8808cbde-2bf2-41a4-9601-c5ef42117140) Looking through the site, we can see what the page was built with ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh5dAAzhKIvm0EkBba%2F-Mdh7NAyDYGvF4ITDzVV%2Fimage.png?alt=media\&token=3d8679c1-e4a1-4d5a-9b6b-570d93712fad) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh5dAAzhKIvm0EkBba%2F-Mdh7PsQYI_o-SFxn2eI%2Fimage.png?alt=media\&token=6f80cd1a-a38c-407b-9e47-81abc2ad7abb) ## Exploit Lets look at the exploit the room gave us ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh5dAAzhKIvm0EkBba%2F-Mdh880Gu7WG8B8Uqb8q%2Fimage.png?alt=media\&token=cef1c695-3b59-4bf7-9fbc-7e9d62eb9cb7) Lets download this to our machine and make the exploit file a executable ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh5dAAzhKIvm0EkBba%2F-Mdh8IJdKhJNsa6ThuEj%2Fimage.png?alt=media\&token=2df3561b-b1de-401d-86b2-a40dca66026e) Now , lets look at the exploit ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-Mdh938q4AFkce_Iyg3q%2Fimage.png?alt=media\&token=ad9d738d-39f5-40f8-8c5d-3c8419715c82) Looking at the exploit, it looks like we need to supply a username and a password. First we need to find the login page to see if we can try some default usernames and passwords to login. Lets go to google and try to find where the login page is located on Bolt CMS. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhBUlr6g-llXtlucRL%2Fimage.png?alt=media\&token=a9e096a6-ee87-41c5-9cb9-60f0d2fd5612) Lets go to /bolt ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhCBOJBFl8_tiTMOw8%2Fimage.png?alt=media\&token=367e0108-b58b-4d96-a4f3-03a51b0bce4d) We have a login page. Lets try logging in with default usernames and passwords. After trying different credentials, I found the right ones Username: admin Password: password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhDM3Vvdro1xbz31-Q%2Fimage.png?alt=media\&token=bab780e3-01e9-4e9c-bc29-7fafa9a706fe) Now that we know the username and the password, we can run the exploit. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhG28BZV4m_-7MeLP1%2Fimage.png?alt=media\&token=2530ee0b-af3b-49c3-82e2-958a125367a0) Now we will create a simple php-shell on the server so that we can run commands on the server as netcat is not allowed on the server and so uploading this shell, we can run a netcat reverse shell to get a shell on the server. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhHoyu_RNftP9fWcIP%2Fimage.png?alt=media\&token=f40746b9-766b-41d8-aa54-6188e74e036f) We can follow these steps, but there is an easier way to do this, first we run the exploit and then put in a python reverse shell which will give us a shell on the machine So first we start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhQBf07DC6oCU4nY4c%2Fimage.png?alt=media\&token=c24fb68a-4baf-448e-9041-04da794da355) Next we run the exploit ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhQO2x4gx8YrWm4A5q%2Fimage.png?alt=media\&token=6968f125-aa1a-4baf-a6eb-82a27a25b832) Now we run a python reverse shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhQVHcih2rQgBobyw9%2Fimage.png?alt=media\&token=6894829a-d621-432c-802a-13647828776b) And we have a reverse shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhQZcTfMXyJ7CWbCvd%2Fimage.png?alt=media\&token=0f667e78-18f9-408b-9e15-e571f425d686) Lets stabilize the shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhQob2Lvy9jLfAa3PA%2Fimage.png?alt=media\&token=4206a0bb-660c-4754-8910-e2ac65f30303) We are logged in a as www-data ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhQu6Fo17Q2PYHUxyF%2Fimage.png?alt=media\&token=391a6a1c-cef9-4a78-b826-51c11be013c7) ## Privilege Escalation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-Mdhn_1ufLYSrdLpwBXs%2Fimage.png?alt=media\&token=9be01950-3f83-4d8e-afd5-4b01ffd2f359) Lets follow these steps, lets find the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-Mdhoa4bk_DiEsEnLILw%2Fimage.png?alt=media\&token=68d9a9ec-284c-466a-8622-f630f7df6700) Lets access this file with Sqlite3 and check its contents ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhozOxUSvftOrkfW_4%2Fimage.png?alt=media\&token=ae24d2be-32e0-4025-bd3f-90c8bf8af6f1) Lets copy the password hash for the user wildone and crack it using John The Ripper. Lets save the hash in a file called hash. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhpL4_0iLVt77Y2zgn%2Fimage.png?alt=media\&token=a508ba51-dc0a-4a51-b4a5-5a134ca2ba66) Lets now crack it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhpUbf9Vw3bIf-0M9G%2Fimage.png?alt=media\&token=6a2c658e-664b-499e-87f5-5004675dd10f) Lets switch users to `wileec` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhtGNed8scJj0eB9VR%2Fimage.png?alt=media\&token=4aa9ae34-b4db-4aeb-971a-09b7b9c70e8e) We can read the first flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-Mdhtk2TaaAo9HOlXBsx%2Fimage.png?alt=media\&token=416861cf-8b10-4a8a-894b-d69693b6df7c) ## Pivoting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhuE35eS4c_N1QySPm%2Fimage.png?alt=media\&token=6fe795c4-0da8-4b61-a4d4-4e833efe7ca6) Lets check the id\_rsa file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhuOnYcQ620DiOa2AF%2Fimage.png?alt=media\&token=8cfcf22e-1272-4ff7-b34c-fb8ba775f6e7) Lets save the private key on our machine in a file called id\_rsa and then lets give it permissions and login through ssh. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-Mdhup2M1gkzFnZT6jHa%2Fimage.png?alt=media\&token=ff63a30b-5b5c-4aa9-b928-8678e07f854a) You can use the same python command to get a good shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-Mdhv7kD9wTk5Xv9TzZX%2Fimage.png?alt=media\&token=6f036b3a-2dca-4a30-a1ab-43f258b83186) We can now run sudo, so lets run sudo -l to see what we can run as other users ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhvTGzIgdME9pVbuS4%2Fimage.png?alt=media\&token=93b05af6-decd-47df-b17f-ed2df25d7dec) Lets go to GTFOBins to find the command to switch users to `jsmith`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhveBlaUMw0jkB8Kcd%2Fimage.png?alt=media\&token=9e27c979-697f-492f-9787-34be2cd8c503) Lets run these commands and switch users to `jsmith` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhwSKiZj4qmPn5JTzV%2Fimage.png?alt=media\&token=d8c8b0cc-fd64-4e82-a61c-b798e5355056) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-Mdhx-UGMPgpFwSHenTp%2Fimage.png?alt=media\&token=7a02ff48-2025-4200-9588-35c437b0edeb) ## Privilege Escalation 2 Lets run sudo -l to see what we can execute as other users and use the command to privesc to root. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-MdhxNMLhF1bVZH1Aidm%2Fimage.png?alt=media\&token=6140e7c2-0046-45b1-80bb-0eb5b0b89736) We are now root. We can read the root flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdh8Mu7XhVGp7fYdUCa%2F-Mdhx_kBITINIlkVOcXu%2Fimage.png?alt=media\&token=736932df-3882-4c95-aebe-a612741d6444)