Run nmap for the $IP.
nmap -Pn -sC -sV -oN nmap/initial $IP, as you can see we have 2 open ports "22" running apache server and "80" running ssh, yeah! this is stranger. I know.
Web page $IP port 22.
Once we did run nmap go to the web page and we can see that we can not
acces because firefox is blocking our input. so let's to sort out
Firefox > about:config.
on search field you should type this: network.security.ports.banned.override if the string is not existing you should press the left click of you mouse, "new" then "string" and type "network.security.ports.banned.override" then enter the port "22" in this case.
Now we should have access to the website. Great, not?
Now if we go to the source code we'll found the following date.
This is a string encode in "base64", now go to decode it. Watch out we have a directory to recover the password, if we see in the string that is above the encoded string. Go to decode it.
Hidden message and possible password.
We'll found a string in the following encode: Base32 > Hex > ROOT13. Lets to decode it.
We have the following message!
"""Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S"""
Now go to read hidden data on the image we find in the website.
We found two interests files callde, "creds.txt" and "cmc.creds" go to get this files and read them.
Now we have the user and password, great! go to login us and the we can see that we have command execution. Great!
At the end of the line add the following line: "$IP:22/nnxhweOV/index.php?cmd=whoami" and we'll se this.
We can set netcat to capture a session, lets go!
Once you are in session you can read the "jack_password_list"
Save these passwords into list and use hydra to crack them! look at this screen wen I did found the password for "Jack".
Great! so when we login into ssh service we found a user.jpg file, we can download this image with "python -m SimpleHTTPServer" in the jack's machine then wget $jack'sip:8000/user.jpg" because python listen on port "8000" for default. then open the image and you could see the user flag!
We have the user flag. Congratulations, but the root flag is missing, go to find it. For privilege escalation we'll use te command "strings" wich allows us read files as root go to read the root file with this command: "/usr/bin/strings /root/root.txt" and we obtain the flag.
Thak you for read my first writteup! Have fun and happy hacking :)
Great content!! Thank you very much.
ReplyDeletePost a Comment
Comments here, cracks!