JISCTF
Nmap
Checking out port 80 directs us to a login page on /login.php.
Running dirsearch.py
against the web server reveals robots.txt
The contents of robots.txt is shown below:
Browsing to /admin_area shows the page below.
Viewing the source reveals sensitive information:
We can then login to /login.php with the credentials shown above. The following page reveals a web page for uploading files.
I then uploaded a PHP reverse shell which after upload showed a 'success' status message. Knowing the directory /uploaded_files/ exists we can then browse to this followed by the uploaded files name: http://192.168.152.25/uploaded_files/phpshell.php.
The page should hang and we will receive a shell on our netcat
listener.
I could not see that Python was installed on this machine so I instead used the following command to upgrade the shell:
From here I transferred over linpeas
from my attacking machine and let it run. The script picks up the username 'technawi' which is an alternative user on the box.
Running cat
on the credentials.txt reveals login information. We can then use su
to switch to the technawi user.
Checking sudo -l
against the user reveals we can any command as any user on this machine.
We can then run the command below to spawn a root shell.
Last updated