Hackthebox - Vault
Last updated
Last updated
Wfuzz was useless from root but it mentionned a customer. If we try to go to /sparklays we get a Forbidden which means that we could try wfuzz again but with this.
I had to wfuzz multiple times but here are the commands and interesting results I got:
In the meantime, wfuzz was quite a pain so I tried gobuster which I usually prefer (but wanted to try out wfuzz lol). And I got this
So from these we have:
On login.php we get an access denied
But on admin.php we get a login page
I tried bruteforcing along with possible weak password but did not get anywhere.
And if we click on change logo we end up here so we can play with the upload function.
I tried a few file extensions and got this working with php5.
So I downloaded php-reverse-shell.php5 on the server after modifying the file with my ip address.
I set up my listener nc -nlvp 4444
And then I accessed this page from the browser (remember the uploads directory we found before)
http://10.10.10.109/sparklays/design/uploads/php-reverse-shell.php5
And I got a shell as www-data:
We have this page
On /design/design.html we get this
I chose to play with this machine because I wanted to practice pivoting.
So let's check what we have available here in terms of network with arp -a (if for some reason arp -a does not work a friend of mine uses a cool command for i in {1..254} ;do (ping 192.168.122.$i -c 1 -w 5 >/dev/null && echo "192.168.122.$i" &) ;done).
But here arp -a works and we get this:
But first let's see if we can mobe to a user. if we ls on /home we have 2 users dave and alex.
If we go to dave's Desktop we find this.
So let's try to ssh as Dave (with the password we found Dav3therav3123). It works:
