Posts
p0i5on8
Cancel

We use wfuzz with prefilter option and custom wordlist to find the location of tomcat-users.xml and then use LFI to read it. Because of manager-script role of tomcat user, we had to use curl to upload a malicious war file. We use fcrackzip to brute force the password of a zip file. Finally, we take advantage of user being a member of lxd-group to get root shell.

We find backup sub-domain using ffuf which contains a disabled form with LFI vulnerability. We use php://filter wrapper to read a php file containing a user password. We analyze a SUID binary and create a soft link using bash one-liner to read a config backup file. We decrypt an encrypted message using brute force and looking for common words in decrypted message. Finally, we decrypt and mount a LUKS encrypted file which contains id_rsa private key of root.

We setup our own MySQL server to exploit Adminer 4.6.2's file disclosure vulnerability and get SSH user creds. We use python library hijacking to get a reverse shell as root by changing the PYTHONPATH environment variable.

Using gobuster, we found balance-transfer directory that contains some encrypted files, one of which contains plaintext creds. SSH using the creds, and run the emergency SUID binary to directly get root shell.

Using Local File Inclusion vulnerability in NVMS-1000, we can read a txt file containing list of passwords, one of which is Nadine's password. We use port forwarding to access the service on port 8443 as localhost and use NSClient++ privEsc exploit to get SYSTEM shell.

We upload malicious php file using Remote File Inclusion vulnerability in a webpage to get Remote Code Execution and then get reverse shell as www-data. For PrivEsc, we manually exploit the screen 4.5.0 SUID binary

We exploit NoSQL Injection in a mongoDB website to get user credentials and SSH using the creds to get user.txt Finally, we exploit jjs SUID binary using gtfobins to get root shell.