Undiscovered

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Undiscovered
cd ~/Documents/TryHackMe/eJPT/Undiscovered
mkdir recon enumeration notes
touch notes/{README.md,vulns,creds}

export IP=10.10.56.55
export URL=http://$IP
export domain=undiscovered.thm

Enumeration

First we need to add the domain in the /etc/hosts file to get access to the website. I usually do a subdomain scan after I get a domain using wfuzz or gobuster , I prefer wfuzz because are faster than gobuster.

wfuzz -c -f enumeration/subdomains.txt -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hl 7 -t 200 -u "http://$IP" -H "Host: FUZZ.$domain"

I found a lot of subdomains. After some minutes of enumeration I see that deliver subdomain are different from the others, so I begin with it.

cat enumeration/subdomains.txt| awk '{print $5,$9}'| uniq | sort
341 "booking"
341 "dashboard"
341 "deliver"
341 "develop"
341 "forms"
341 "gold"
341 "internet"
341 "mailgate"
341 "maintenance"
341 "manager"
341 "network"
341 "newsite"
341 "play"
341 "resources"
341 "start"
341 "terminal"
341 "view"

When I have to enumerate a website I start with fuzzing using feroxbuster and dirsearch.

After a long time I use hydra to brute force the admin user password.

I also find an interesting script to exploit this CMS version.

After some minutes of enumeration I got stuck, so I go back to open ports and there’re NFS share folders, but I cannot access. Verify /etc/exports to see which folder are shared.

So folder /home/william is shared and can be accessed. Let’s see his uid and gid:

It’s 3003. Create a user “william” on your machine with the same uid and gid, and mount the folder to see what’s inside.

Found the user flag and another useful files.

Ok, so if I execute script without argument, it will exec admin.sh. But if I provide with argument, I can read this argument(strcat) as leonard priv.

Now let’s login with the id_rsa key.

After minutes of enumeration I found how to get root privilege. See the capabilities.