Road
Inspired by a real-world pentesting engagement
Lab Setup
mkdir ~/Documents/tryhackme/road
cd ~/Documents/tryhackme/road
mkdir recon notes enumeration
touch notes{README.md,vulns,creds}
export IP=10.10.169.117
export domain=skycouriers.thmEnumeration
First of all I scan the machine using nmap and rustscan for open ports. I use rustscan because is faster than nmap, but I also still using it just to be sure that I found all ports open.
# just ports
nmap -p- $IP -oN recon/ports
# services (nmap scan)
nmap -sC -sV -v $IP -oN recon/services
# services (rustscan)
rustscan -a $IP --ulimit 5000 -- -sC -sV -A -T4 
I found two open ports, 22 default for SSH and 80, default for HTTP. When I just begin to enumerate 80 port I use simple tools, to check versions, emails, domain, methods and if it is any WAF.
# nikto
nikto -h http://$IP -C all -o enumeration/nikto.txt
# whatweb
whatweb -a 4 http://$IP
Found a domain, so change the /etc/hosts file and add this domain. First thing that I do when I found a domain I fuzz for subdomains, but I didn't find anything.
wfuzz -c -f enumeration/subdomains.txt -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hl 7 -t 200 -u "http://$IP" -H "Host: FUZZ.$domain"Let's manually enumerate the website and see what can I find interesting. In this time I check for files and directories using feroxbuster
feroxbuster -t 10 -u http://$domain -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -o enumeration/feroxbusterI got a lot of output, but I found something interesting -> /v2. It redirects me to /v2/admin/login.html
I register and logged in to see whats in there. After some time spending on the web application I figured it out how to get access to this machine. I go to profile and see that I can upload an image, but only the admin can do that -> [email protected]
Exploitation
It took a while, but I managed to figure it out. I attempted to reset my own password and examined the request/response in Burp Suite. After that, it became much easier.
All I had to do was swap out the email address with the one I discovered and update the password. With that done, I gained admin access. Next, I navigated to the profile section to upload a payload. However, I hit a roadblock when I couldn't locate the file needed to trigger a reverse shell. So, I examined the source code of /v2/profile.php, and there it was.
Now that I have access to the machine, you can check the home directory of the webdeveloper user and retrieve the user.txt flag.
Privilege Escalation
For privilege escalation, I stumbled upon a Git repository. All I have to do is upload the files and execute the bash script, and then I'll gain root access.
Last updated