Nmap

Port 80

/admin
/assets
/admin/backup

The login page at the first one is only html and not php. So I try to look at /admininstead. Tried with admin:admin but not working.

I try to look at /admin/backup and found the same thing?

But again nothing… After enumerating some more I thought I should give it a try to enumerate the parameter. I write my own tools which you can get at references below!

python ezpzLFI.py paramlfi 'http://IP/admin/backup/index.php'

Found a possible one. Let’s check parameter id .

Okay never thought it could have SQL error . I tried to use sqlmap and manage to dump credentials.

sqlmap -u http://IP/admin/backup/index.php?id=1 -D db -T users --dump

Let’s try on another possible parameter which is file.

Found one user which is charlotte . Now I have possible credentials to try. I tried on port 80 manually input each one but it’s not working.

Charlotte (User)

At first, I thought this one could give me something but after do some research. It is Cockpit (Server Administration) and which I could get access to the server if manage to get authenticated. Tried some username and password but can’t manage to get access. Then I remember charlotte the only user on the machine. Tried that with the admin password and finally can get access.

There is a terminal inside

Let’s get a reverse shell!

Root

#Suid
find / -perm /4000 2>/dev/null
#Capabilities
getcap / -r 2>/dev/null

Later I found that there is cap_setuid in /usr/bin/old .

I tried to run the binary and found out that it running python 2.7.16 !

Since it has setuid capabilities. This one liner could get me rooted.

/usr/bin/old -c 'import os; os.setuid(0); os.system("/bin/bash")'

Enjoy the box! Thank you mindsflee :)

References

CTF Player 🚩 || TRYHACKME || HACKTHEBOX || VULNHUB || STUDENT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store