Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 06:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackMyVM/Pwned.md
AbdullahRizwan101 d5ebb8e378
Add files via upload
2021-01-13 10:04:39 +05:00

99 lines
No EOL
2.5 KiB
Markdown
Raw Blame History

# HackMyVM-Pwned
## NMAP
```
Nmap scan report for 192.168.1.7
Host is up (0.00020s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
MAC Address: 08:00:27:56:AD:A9 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds
```
## PORT 80
<img src="https://imgur.com/hdhpc0j.png"/>
Looking at the source we can see a comment at the bottom of the page
<img src="https://imgur.com/EGXNHqD.png"/>
I ran gobuster
<img src="https://imgur.com/eWbZgcm.png"/>
From fuzzing the directories `/nothing` led me to actually nothing
<img src="https://imgur.com/TqHtgE6.png"/>
However `/hidden_text` was intersting.
<img src="https://imgur.com/fvh7Wy4.png"/>
Which was like wordlist or maybe there directories exists on the machine.So using this wordlist it came back with a `pwned.vuln` file
<img src="https://imgur.com/AkKUnqa.png"/>
<img src="https://imgur.com/8wHfNvu.png"/>
Looking at the source code again
<img src="https://imgur.com/2HJCZSX.png"/>
These were infact credentials for ftp server
<img src="https://imgur.com/0HGS6yw.png"/>
<img src="https://imgur.com/kCdsA41.png"/>
The note says
```
Wow you are here
ariana won't happy about this note
sorry ariana :(
```
This is private key belongs to user `ariana` so we can ssh into the box with this.
<img src="https://imgur.com/JhfIbWO.png"/>
Run `sudo -l` to see what we can run as root or as other user
<img src="https://imgur.com/AvXO29D.png"/>
<img src="https://imgur.com/wsu4v6y.png"/>
Transfer linpeas on the box
<img src="https://imgur.com/DCll2PT.png"/>
Right at the start it says that the user is `docker` group and we can privesc abusing it
<img src="https://imgur.com/7n2jqdH.png"/>
Visting GTFOBINS for any privesc on docker
<img src="https://imgur.com/JctoUvu.png"/>
<img src="https://imgur.com/kwkqfOu.png"/>
And we are root !!!
fb8d98be1265dd88bac522e1b2182140
711fdfc6caad532815a440f7f295c176
4d4098d64e163d2726959455d046fd7c
Reference in a new issue View git blame Copy permalink