Reconnaissance

nmap -sC -sV 192.168.1.142
-sC for default scripts,-sV for version enumeration

Looking at the result:
port 80 http
port 111 rpcbind
port 777 ssh

Enumeration

Viewing the website on port 80, we can see image .

There is nothing much here, so the best step from here would be to download this gif and read the metadata of the image using exiftool

We can see interesting comment. kzMb5nVYJw

Going into kzMb5nVYJw directory presents us with a webpage where we can enter a key.

Viewing the page source, we can see it is saying “the password ain’t complex”.

When entering random key we get response as invalid key .
We will need this later.
Now our step would be to bruteforce the key using hydra

Intercept the request the using burpsuite.
We will use this request to craft hydra command

hydra -l “” -P /usr/share/wordlists/rockyou.txt 192.168.1.142 http-post-form “/kzMb5nVYJw/index.php:key=^PASS^:invalid key”

Here

-l "": Specifies the username. In this case, the username is empty
-P /usr/share/wordlists/rockyou.txt: Specifies the path to the password list. In this case, I am using rockyou wordlist.

http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key": Specifies the form parameters for the HTTP POST request. It includes the target URL ("/kzMb5nVYJw/index.php:key=^PASS^:invalid key") and the placeholder ^PASS^, which Hydra will replace with the passwords from the wordlist

“invalid key” is a string that Hydra interprets as a response indicating that the login attempt was unsuccessful

Running Hydra reveals us a correct password elite

After entering correct key, we are redirect to Search for usernames page.

In this part, I tried to check if this is vulnerable to sql injection by entering ‘ , but it didn’t work.

Then I entered “ which broke the sql query giving us the following error

This proves, we have sql injection to work on.

Running sqlmap we can extract the database names.
sqlmap — url {copy paste url} — batch — dbs
here -dbs: Specifies that SQLMap should attempt to enumerate databases on the target.

Looking at the result we can see databases;
information_schema
mysql
performance_schema
seth

Among these databases we are interested in database seth Now lets dump everything under database seth

Looking at the result we can see username and encrypted password

YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE:ramses

Using hashes.com and crackstation we can decrypt the hashed password
so we have username ramses:omega

Gaining Access

If you remember from nmap scan result, we have ssh running on port 777 lets try to login with the credentials we found

And we are successfully logged in.

Then I tried to find files with suid permission
find / -type f -perm /4000 2>/dev/null

-perm /4000: Searches for files with the setuid (SUID) permission bit set. The / before 4000 means "any of the specified bits are set," and 4000 is the numeric value of the setuid bit.

2>/dev/null: Redirects standard error (stderr) to /dev/null to suppress error messages.

Looking at the result the unusual result is procwatch

Privilege Escalation

Move into /var/www/backup we can see procwatch with suid permission

Running the procwatch we can see it is trying to open ps for which it will search on the path

What we are going to do from here is
first we will copy the sh from /bin folder and paste it into tmp folder with name ps

Now we are going to edit $PATH variable by adding /tmp at beginning.

Here we are appending /tmp directory in the path variable so that it will first search for the ps in the /tmp directory.
In /tmp directory we have added sh script renamed as ps.

Then running the script we get shell as Root and we can cat out the proof.txt