nmap -p- -T4 -vv -sV 192.168.2.55
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
ffuf -u http://$TARGET_IP/FUZZ -w /usr/share/wordlists/dirb/big.txt -e .php,.txt,.html
hello, now you are at level 0 stage. In real life pentesting we should use our tools to dig on a web very hard. Happy hacking.
Looks like you have got some secrets. Ok I just want to do some help to you. Do some more fuzz on every page of php which was finded by you. And if you get any right parameter then follow the below steps. If you still stuck Learn from here a basic tool with good usage for OSCP. https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web //see the location.txt and you will get your next move//
As requested in the link:
ffuf -u 'http://192.168.2.55/index.php?FUZZ=something' -w /usr/share/wordlists/dirb/big.txt -fs 136
file [Status: 200, Size: 206, Words: 15, Lines: 8]
Based on one of the previous notes:
ok well Now you reah at the exact parameter Now dig some more for next one use 'secrettier360' parameter on some other php page for more fun.
Finally we have some real LFI.
There are two users on the system
victor. For some reason saket user had this in his passwd file:
find password.txt file in my directory:/home/saket
Let’s go back and look at the wordpress installation.
saked user didn’t work with that password, but
After looking around for a bit, I found a random writeable file in one of the themes.
I’ve put in php reverse shell into it and navigated to the page.
www-data -> saket
www-data user can execute
/home/saket/enc as root. Additionally, I’ve found a file `/opt/backup/server_database/backup_pass’ which contained a password to this binary.
After executing it and giving it a password it created some new file in
I know you are the fan of ippsec. So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
When executing this binary, but passing it md5 of
ippsec in replaced the
enc.txt file with a new string. This time it was AES with the same md5 hash.
Dont worry saket one day we will reach to our destination very soon. And if you forget your username then use your old password ==> "tribute_to_ippsec" Victor,
saket -> root
saket can execute
/home/victor/undefeated_victor as root.
After a bit of poking, it seems like this binary takes whatever is in
/tmp/challenge and executes it.
Getting root was as simple as putting a command that would put my ssh key in root’s
.ssh folder into
sudo /home/victor/undefeated_victor echo 'mkdir /root/.ssh/authorized_keys' > challenge sudo /home/victor/undefeated_victor echo 'echo "<my_ssh_key">/root/.ssh/authorized_keys' > challenge