NMAP Scanning
Added address in /etc/hosts and open the web page
Upon clicking the link it asks for credentials.
As we do not have any credentials I got the page below.
I tried to view the source code and found the photobomb.js file.
After opening that file I got the credentials.
Username: pH0t0
Password: b0Mb!
I logged in using the above credentials.
Upon logging using above credentials we saw it is an image downloading service.
So we intercepted the request and began testing of all 3 parameters. I have enabled the http.server and tried to inject a curl command.
For the photo parameter I got the response and it seems that it is not vulnerable.
For the filetype parameter I got the response on our server. So this might be vulnerable.
So I decided to generate a reverse shell command and enabled netcat.
After injecting the above snippet I got the user shell.
I got the user flag.
Privilege Escalation
I began with the sudo -l command and checked the cleanup.sh file.
Add /bin/bash in cd file and give all permissions
I also create find file because if one failed we have backup to get shell as root
Now just run that file with sudo permission and set the PATH to /temp directory
I got root.
Discover more from Information Security Blogs
Subscribe to get the latest posts sent to your email.
