GLITCH

Lab Setup

mkdir ~/Documents/tryhackme/glitch
cd ~/Documents/tryhackme/glitch
mkdir recon enumeration notes
touch notes/{README.md,vuln,creds}

export IP=10.10.29.23

Enumeration

First scan the machine for open ports. Scan the machine for open ports using RustScan. It's faster than Nmap, so I prefer using it exclusively for now.

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -A -T4 -oN recon/rustscan.init

Looks like only the HTTP port is open. Let's open it in the browser and see what's there. Nothing interesting, so I run feroxbuster to fuzz files and directories. I also run a nikto command in background, because it will take a while.

Discovered an interesting path: /api/acces.When I access it I found a token with base64 encoded value.

Replace the token with the discovered value. Let's proceed to fuzz once more with the cookie configured accordingly.

After conducting another round of fuzzing for files and directories, I examine the JavaScript code located at /js/script.js.

Get another path interesting /api/items. After a while I get something in response by changing the request method.

At this stage, I encountered a temporary impasse. After a while I proceeded to fuzz for parameters and responses with a 500 status code.

Now all I need to do is to get a reverse shell.

We get a shell as user, and in home directory we found user.txt flag. In same directory I found .firefox directory and again I was stuck for a while.

Privilege Escalation

Transfer directory in my machine and analyze it.

This take me a lot, but finally I get the answer by open firefox and search for saved passwords.

During the penetration test, specific steps are followed for privilege escalation. After some time, I discovered that the "doas" file possesses the SUID bit set. Change the user to v0id and run doas.