Link to the machine:

Enumeration

By nmap I found 2 ports open

Web Fuzzer

Since the page shown apache default page I have tried to bruteforce directory using dirsearch using common wordlist.

dirsearch

Let’s take a look at robots.txt. Nothing special but it saying enumerate more!!

robots.txt

Let’s take a look at user.txt. I found base32 inside user.txt. It is base32 so we can decode it using CyberChef.

I have stuck for a while here so I use a different wordlist which big wordlist from Seclist and found a new directory /findme

/findme

Let’s open catchme.php

From here maybe we have parameter cmd to execute command. Let’s try id.

Nice! Let’s get a reverse shell and for this one I use python3 :)

Root

As I manage to get a shell on www-data. It’s time to enumerate more. First, let’s try to enumerate on suid.

find / -perm -u=s -type f 2>/dev/null
/home/meow/MeowMeow

So I found MeowMeow. Usually, I will try to run first what the suid will output.

Seems like it runs command id mhmm.. I do not have read permission on this suid so by using instinct lets assume that this suid binary run command id and maybe I can try hijack the PATH.

Rooted! Enjoy this machine and feels free to try it :) Thanks to the creator

Reference

twitter author

CTF Player 🚩 || TRYHACKME || HACKTHEBOX || VULNHUB || STUDENT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store