# Expose {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) ## Recon Scanning our target with Nmap we can discover five open ports, of which on each of them runs a different service. On Port 21 FTP, on 22 SSH, on 53 DNS, on 1337 a web server, and on 1883 a MQTT broker.

While enumerating the different services, we were not able to find anything of interest regarding ports 53 and 1883. Running a directory scan via Gobuster on the web server at port 1337 gives us some interesting directories. We have two admin login portals, of which one might be the correct one, and a PhpMyAdmin page.

Running a second directory scan on `/admin_101` reveals more interesting directories than on `/admin`. Given this fact and the fact that the username field is prefilled, it indicates to us that this might be the correct login portal. A brute force attack was run with the given username `hacker@root.thm,` but did not lead to any results. Instead, an SQL injection vulnerability might be present.

## User Flag For a quick check, we capture the HTTP request while trying to log in and reuse it in SQLMap.

By running SQLMap with the captured request, we are able to dump the database.

We were able to retrieve some interesting information. For the user `hacker@root.thm`, we get a password in clear text. Using it on the admin portal does not lead to anything of interest. Beside the credentials are two URLs in the config table stored, which we were not able to discover via Gobuster and a password or password hint to be able to access those URLs. For `/file1010111/index.php` we get a simple MD5 hash, which might be crackable. For the page `/upload-cv00101011/index.php` we just get a hint that the password is the username of the machine starting with the letter Z.

Using crackstation we are able to crack the hash easily and get a password. {% embed url="" %}

Next, we visit `/file1010111/index.php`.

By providing the password, we get a hint to fuzz for parameters. Without checking anything more, we visit `/upload-cv00101011/index.php.`

The page `/upload-cv00101011/index.php` also gives us a hint about the password being the name of the machine user starting with the letter Z. An attempt was made by using Burp Suite to brute force the usernames. While the brute force is running, we check out `/file1010111/index.php` again.

On checking out the source page of `/file1010111/index.php` we get another hint to try `file` or `view` as GET parameters. On a closer look at the URL, this might be a page to view files on the system, and a local file inclusion vulnerability might be present.

For a simple check, we use `?file=index.php` to check for local file inclusion. Upon calling `http://10.10.118.26:1337/file1010111/index.php?file=index.php` and providing the cracked password, we see that the page has now been loaded multiple times. An LFI is present.

Due to the fact that we need to know the username of the machine to access the other page, we try to check out the `/etc/passwd` file on the system. By providing the URL `http://10.10.118.26:1337/file1010111/index.php?file=../../../../etc/passwd` we are able to enumerate the user `zeamkish`.

We directly head up to `/upload-cv00101011/` and provide the found user.

We are greeted with a file upload page.

To uploada file click on the Upload text

Looking at the source of the page, we see a simple local upload filter in javascript checking for file endings. Only JPG or PNG files are allowed.

For a simple test, we upload a picture of a cute cat and get the hint to look into the source code to see the path. The first thought was about to check the correct .php file via the LFI page, but first we checked out the source of the page.

And the files are stored at the `/upload_thm_1001` folder.

Here we are able to see our cat picture.

Next, me make use of pentestmonkey PHP reverse shell provided by revshells.com {% embed url="" %}

For a simple bypass, we name our shell as `evilcat.phpD.jpg`. We capture our upload request in Burp Suite and change the letter D to a null byte. Alternatively, a breakpoint in the JavaScript can be set, a .php file be uploaded and the variable `fileExtension` be changed in the console to contain 'jpg' instead of 'php'.

We change the byte in Burp and forward the request.

Next, we head to `/upload-cv00101011/upload_thm_1001/` and set up a listener, and we see that our bypass was successful.

Upon calling our reverse shell PHP script our shell connects. We are `www-data`.

For convenience, we upgrade our shell. {% embed url="" %} ```sh SHELL=/bin/bash script -q /dev/null ``` ```bash STRG+Z ``` ```sh stty raw -echo && fg ```

While enumerating for the usual suspects like `sudo -l` or SUID binaries, nothing could be found. We were not allowed to use Find. That is odd; it might be a big hint to prevent us from finding SUID binaries. But taking a look at `zeamkish's` home directory, we see the flag that we are not allowed to access, but the credentials stored for the user in `ssh_cred.txt`.

We use the credentials to log in to the system as the user `zeamkish` using SSH. We are in the home directory of zeamkish and are able to read the user's flag.

## Root Flag Upon checking for interesting SUID binaries as the user zeamkish we get an interesting hit.

The editor Nano has a SUID bit set. With that, we are able to read and write files outside of our rights as root. For a fast but harmful privilege escalation, we change the `/etc/shadow` file and edit the password of the user root.

With the use of `openssl` we generate our new password.

Next we just open `/etc/shadow` using `/usr/bin/nano` and insert our custom password hash.

After editing the password of root, we are able to change the user to root using `su` and providing our chosen password. Next, we find the flag in the home directory of root.