-
Penetration Testing methodology
- Scanning
- Nmap Scan
- Enumeration
- Enumerating HTTP Service
- Searching Exploit
- Testing Login page
- Exploitation
- Reading exploit code
- Trying exploit code
- Finding another way to exploit cms
- Uploading shell
- Privilege Escalation
- Enumerating kernel make
- Searching Exploit
- Compiling exploit
- Transferring Binary
- Getting Root Shell
- Getting Answers
- Scanning
-
Walkthrough
-
There are two flags to find in this room 1. User flag 2. Root flag
-
Scanning IP with Nmap we get following output
We can see that on port 80 and on port 8080 http service is running, By visiting to the IP:Port we can see that on port 8080 we see
I tried a payload of SQLi in Username : " ' or 1=1 -- " & Password : " a " but didn't worked.
So the CMS is Simple Image Gallery after searching it for on searchsploit we get following output
Copying the exploit to current directory.
It's a good practice to read exploit. Even if you don't understand try to read some parts of it what and how it's doing. [ My Takeaway ]
Before finding something i ran the code to check how the exploit works.
So the code was allowing us to execute commands via a parameter called cmd and it was uploaded in gallery/uploads directory. So i visited on the provided url and found that the code was executing. The output of whoami command.
AFter a lot of tries to gain reverse shell through cmd parameter i was frustrated then in a try i read the code [ My Takeaway :D ] content as follows:
While reading i encountered a line which seemed to me a SQLi payload see below :
So i got a hint that the payload which i was trying to use was not working for this room so i tried the payload which was used in exploit.
And boooom !! i was not expecting this but it worked...
OKK !! We are in so now while walking an application i found a page " Albums " So after visiting i saw upload functionality.
I thought let's give it a try to upload a PHP reverse shell by Pentest Monkey ( can be found in /usr/share/webshells/php/ or can be found on google coz it's famous revershell script so will be easy to find ).
So edited my reverse shell with my IP and my favorite port
BTW out-of-topic : I am using 1337 coz not of i am leet but i want to be leet XD #HECKUR MINDSET
Uploading the PHP Reverse Shell and listening on localhost via nc -lvnp 1337 [ for me it's 1337 you use what you typed the port to in script ]
Shell Uploaded successfully !!!!
By clicking on the script you uploaded you can activate the shell. But don't forget to listen before you activated the shell.
Whoop Whoop we got shell... OKKK first things first let's stabilise our shell. I learned stabilising from What the Shell room on Tryhackme.
- export TERM=xterm
- which python3 [ Will allow to know what python is installed ]
- python3 -c 'import pty;pty.spawn("/bin/bash")'
- press CTRL+Z to bcakground the shell and also run the command on attacker machine
- stty raw -echo ; fg
- reset
- [ This commands will give us a fully functional shell ]
By resetting you get your shell reset like below a clean shell :D
-
-
Privilege Escalation TIIIIIIIIIIIME !!!!
-
For privesc you can run linpeas or any other script or may enumerate manually for escalation.
-
But in this writeup we will run PwnKit to learn some new about POLKIT pkexec module exploit. The exploit code can be found here -> https://github.com/ly4k/PwnKit/blob/main/PwnKit.c
-
Let's do this... Compiling the code by
-
gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC
We got the binary compiled and now let's move this to victim host.
- 1st host a server on attacker machine we can do this by [Note : Host the server where your binary file is ! ]
- Command : python3 -m http.server 80
- 2nd Go to victim terminal and download the binary by following
Controlling Emotions of getting root shell ;-; So let's get the flags and end it ASAP.
- /home/mike has user.txt
- /root/ has root.txt
Also we need hash of an admin user to complete the room
- Use command netstat -altuopn for checking the services runnning on localhost
- We can see 3306 is running which is mysql port.
- Using mysql -u root -p [use password as root]
- accessing the database.
- and we got the admin hash submitting it and ok the room has been completed.
- 1st host a server on attacker machine we can do this by [Note : Host the server where your binary file is ! ]
-