search

linuxProving Ground - Linux

hashtag
Extplorer

chevron-rightInitial ⇒ Open-source , Default Creds , File upload Privesc level 1 ⇒ Enumeration , Creds Privesc level 2 ⇒ Disk partition exploitationhashtag

  1. Nmap gives 22,80 & dir enum gives /filename , on which extplorer application is running with the login-site , for which default creds work and we get inside

  2. Also can upload PHP shell and get a rev shell as user www-data , Inside i found hash for user dora in /var/www/html/filename/config > .htusers.php

  3. Inside shell-as-dora , doing id gives disk-partition which we can exploit using debugfsto get root

hashtag
KeyVault

chevron-rightInitial ⇒ File upload , rsync , Command Injection Privesc ⇒ Reverse Engenring , ---hashtag

  1. nmap gives 22 , 80 , 874

  2. Website is file scanner application which gives upload functionality and then gives virus scan output , after a lot of attempts of uploading file , the final thing is to upload the file with php3 extension

  3. When navigating to the file , the application just render it instead of giving rev-shell

  4. Using rsync gives source file upload.php , which tells the filename is directly passing thorough the set of bash commands (basically running virus scan on it)

  5. The file-upload functionality was a [RABBIT-HOLE] , we can perform command injection in filename parameter

  6. After inserting rev-shell in filename we got the shell

  7. For Privesc , there is binary /opt/apache-restart , which on execution directly inputs the root password.

hashtag
Flimsy

chevron-rightInitial ⇒ Open-source Exploit Privesc ⇒ --hashtag

hashtag
Surf

chevron-rightInitial ⇒ Login Bypass , Open-source Exploit (RCE) , SSRF Privesc Level 1 ⇒ Database Creds , Privesc Level 2 ⇒ sudo -l , overwrite script/file.phphashtag

  1. On 80 , website is running the login page which can be bypass by decoding base64 and changing the value from {success = false} ⇒ {success = true}

  2. Inside application on page checkserver.php , is running server which is vulnerable to SSRF , but no use but the software is phpfusion , which has open exploit RCE

  3. After getting shell as www-data we can get database creds which work for user james as well , file :- /var/www/server/administration/config/config.php

  4. Doing sudo -l gives we can php on file /var/backups/database-backup.php

  5. As user www-data , we can overwrite it and insert rev-shell , execute it as james ⇒ root.

PreviousHTB : WindowsNextProving Ground - Windows

Last updated