Table of Content:
1. Portscan2. User
2.1 WEB Enumeration
2.2 Initial Shell
2.3 User Flag
3. Priv Esc
Scripts/Tools used:
1.nmap: https://nmap.org/download.html2.ffuf: https://github.com/ffuf/ffuf
3.shells: https://github.com/Xh4H/Web-Shells
1. Portscan:
The portscan result shows 2 ports are open.
2. User
2.1 WEB Enumeration
On visiting the web, it shows the site has been compromised and there is a backdoor left by the creator of the box (Xh4H).
Only thing I have till now is the name of the creator, So my next move is to google his name and the search gave me all that I need.
He left a backdoor for us, so I looked all over his repositories and end up with Web-shells. I make a list of all the available web shells and with the tool ffuf I found the valid one.
2.1 Initial Shell
smevk.phpusername: admin
password: admin
The shell gave me access to "webadmin" account. Then I tried to take proper ssh shell by appending my ssh public key to /home/webadmin/.ssh/authorized_keys.
2.3 USER.txt
After getting our first shell, the first thing that comes in mind is what list of commands are allowed for the current user. so, I tried to find out with Sudo -l and it shows webadmin can run /home/sysadmin/luvit with no password.With the note left on directory of webadmin by the sysadmin, I checked out lua on gtfobins.
3. Priv Esc
With pspsy, I found some files get executed with root permission on every ssh login.
As a sysadmin, I had the permissions to read and write to these files. so I altered 00-header file and tried to log in again.
Comments
Post a Comment