Erit Securus 1
Reconnaissance
Lets run nmap scan to find open ports and services
Webserver
Lets visit the site
Looking through the site, we can see what the page was built with
Exploit
Lets look at the exploit the room gave us
Lets download this to our machine and make the exploit file a executable
Now , lets look at the exploit
Looking at the exploit, it looks like we need to supply a username and a password. First we need to find the login page to see if we can try some default usernames and passwords to login.
Lets go to google and try to find where the login page is located on Bolt CMS.
Lets go to /bolt
We have a login page. Lets try logging in with default usernames and passwords.
After trying different credentials, I found the right ones
Username: admin
Password: password
Now that we know the username and the password, we can run the exploit.
Now we will create a simple php-shell on the server so that we can run commands on the server as netcat is not allowed on the server and so uploading this shell, we can run a netcat reverse shell to get a shell on the server.
We can follow these steps, but there is an easier way to do this, first we run the exploit and then put in a python reverse shell which will give us a shell on the machine
So first we start a netcat listener
Next we run the exploit
Now we run a python reverse shell
And we have a reverse shell
Lets stabilize the shell
We are logged in a as www-data
Privilege Escalation
Lets follow these steps, lets find the file
Lets access this file with Sqlite3 and check its contents
Lets copy the password hash for the user wildone and crack it using John The Ripper. Lets save the hash in a file called hash.
Lets now crack it
Lets switch users to wileec
We can read the first flag
Pivoting
Lets check the id_rsa file.
Lets save the private key on our machine in a file called id_rsa and then lets give it permissions and login through ssh.
You can use the same python command to get a good shell.
We can now run sudo, so lets run sudo -l to see what we can run as other users
Lets go to GTFOBins to find the command to switch users to jsmith
.
Lets run these commands and switch users to jsmith
Privilege Escalation 2
Lets run sudo -l to see what we can execute as other users and use the command to privesc to root.
We are now root. We can read the root flag
Last updated