Enumeration

Nmap

Initial Nmap scan revealed Port 8080, 8081, SMB and SSH ports were open.

00 - nmap

SMB NULL

SMB Guest login was enabled, but no useful share was available.

01 - smb guest login

WEB Enumeration

Visited website at port 8081, which forwarded me to port 8080. It was Exhibitor application.

02 - 8081 to exhibitor

I searched the version and found out it had RCE vulnerability.

03 - exploit

Exploitation

I simply followed the steps and executed the exploit and got a reverse shell.

04 - revshell

05 - got the shell

Then I read the user flag.

06 - user flag

Privilege Escalation

User had sudo privileges on gcore binary.

07 - sudo l

Gcore exploitation

After analyzing the https://gtfobins.github.io/gtfobins/gcore/, I understood that gcore is used to dump process memory.

So, I analyzed processes with ‘ps aux’ and found that one process is named password-store.

08 - suspicious password

So I used my sudo privileges and dumped that process.

09 - gcore

Then analyzed the dump and found a plaintext password.

10 - sus

The password was root password, so I simply got root shell.

11 - root

<
Previous Post
Astronaut - Proving Grounds Practice
>
Next Post
BlackGate - Proving Grounds Practice