Enumeration

Nmap

Initial nmap scan revealed SSH port, HTTP port, non standard ports (4505, 4506) which run ZeroMQ and HTTP service running on port 8000.

00 - nmap

WEB Enumeration

I tried sql injection to brute forcing and none of them worked. Fuzzing revealed sitemap.xml file is accessible but it did not have any information I do not know.

01 - sitemap xml

Then I found that port 8000 has a different response header which has the value of saltapi 3000-1

02 - salt api

I googled it and found out it was vulnerable to RCE

03 - salt api

Exploitation (Directly Root)

I tried to run reverse shells but none of them worked. Then I tried reading files and found out I could read passwd and shadow files. I tried to bruteforce root password but it did not work.

04 - read passwd

Then I thought that if I can read shadow file, it means I probably am root. So I tried to update passwd file with this simple command:

pw=$(openssl passwd Password123); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> passwd

And added a new root user with Password123 password.

05 - saved passwd

06 - updated

Then I simply got root shell with ssh.

07 - got the root

<
Previous Post
Exfiltrated - Proving Grounds Practice
>
Next Post
Algernon - Proving Grounds Practice