Inclusiveness PG

Let’s hack the target 🤭

NMAP SCAN

Anonymous ftp is enabled but there’s nothing on the server 🙂

let’s proceed to port 80 http

we saw apache default page

so, let’s check robots.txt

we can’t view it content from the web 😯😯

we can actually bypass that by modifying the useragent and we can use curl yeah

curl -s --user-agent Googlebot http://192.168.204.14/robots.txt -v

we can see the new endpoint /secret_information/

Note on DNS ZONE TRANSFER and i don’t think this box has something to do with that

so clicking on the language hyperlink showed this

screaming file inclusion lool

we have lfi fr

recall we can write to the /pub directory on the ftp server

so we can put our shell into the directory and load it via the webserver through the ftp path to spawn a reverse connection

set your netcat and load the shell

spawn it

PRIVILEGE ESCALATION

So, find command gave list of programs that has the SUID bit where I notice /home/tom/rootshell.

Inside /root/tom/ I found rootshell.c file and a compile file rootshell that owns SUID permissions. According this piece of code if the file is executed as Tom user by calling the function for “whoami” program for validation then you will get a privilege shell else it will print user-ID that is currently logged in will be displayed.

In simple words the rootshell program give a high privilege shell if the output of whoami program will be “tom”.

You can easily take advantage of this configuration by abusing the PATH system. Here, we built a file as “whoami” in the / tmp directory, and write the following bash code to print “tom”

cd /tmp

echo "printf "tom"" > whoami

chmod 777 whoami

Add a temporary path variable with the help of the following command. you will observe that we had added /tmp as PATH variable.

export PATH=/tmp:$PATH

echo path

Execute the rootshell

cd /home/tom;./rootshell

And we are done.

Thank you 🔥.