Road

in Blog

NMAP

3d1d645fa42af7a0a44da7dc24515a84.png

Website

After looking around the site we find there is a login page with a registration form.

7db481855763467f1e842d8f7e178caf.png

ea2a7f08e825c5d40dc4ea489aa395d4.png

We register the user bob@bob.bob with a dummy mobile and password bob. Dashboard:

1a9614cf81e42a73ec4cb0d67e00d343.png

Upload button disabled. Access only to admin@sky.thm

bf8ce12396d995b6587ff5a1c02692a1.png

Reset password page, username uneditable. Try capturing with Burp Suite.

bc41bee9f501599bb90c186678b76ca2.png

Request passes username as well as new password, send to repeater to try editing.

715eefb291e94f2b9d831b56a0427e82.png

Changed user to admin@sky.thm. Looks to have been successful.

23a67323976d64f2cf0ec9136ea21763.png

Logged in as admin.

68d948253959be9a9aca58dcb6dcb124.png

Uploading php reverse shell.

6662d589862f676c3344c061d46991d2.png

Tested uploading an image to find upload location, it looks like the profile image path is commented out so picture doesn’t update.

9f30ba72eda4aeef6d74367a2803a404.png

Starting netcat listener.

e5fd172b746a6fa5d85e37984103a99a.png

Accessing reverse shell at /v2/profileimages/rev.php

Remote shell gained, stabilised with python.

29551d152086ab74c83a353c165ee2a7.png

Using find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null to find useful suid binaries.

dff187b8ace82488ba852dad0ccf7213.png

Nothing interesting there. Starting a python http server to upload exploits.

7d9f8562580fcf68e08655f2e00b1ac1.png

I was going to run LinPeas but decided to try PwnKit first. Downloading and executing PwnKit.

23bfcd1da2e544fdb971c57fb5ff8871.png

Escalated to root!

d7045857e1994eb18f0db117e15f6452.png

Finding user.txt

f9d962063bb2000a96abfc85e013d840.png

Finding root.txt

find linux version9626baa1602b149063e425738eba916f.png

An interesting box, I feel I missed something by using PwnKit to get root so easily as I imagine it was made before it was available and they had something else in mind.