As with every scan, I run AutoRecon to do my introductory scans:
During the initial port scan I noticed Port 80 was open. It lead me to a website with some pictures listed (even though the picture makes you suspect otherwise).
Pretty sure Please Login is the biggest clue this box gave.
I clicked login. At the login page, you will need to bypass the login screen. You can utilize Burp or be lazy and follow this Exploit DB Paper. I added
' as I was unable to put spaces in the login prompt.
I uploaded a file imhere.png
I then checked my
GoBuster log from
Autorecon which showed
/images/ as a directory. I tried upload and then uploads with success. Next, after a lot of trial and error:
Exiftool and an article on Nullbyte pointed me in the right direction. Copy above and make sure to change HTBIP to your IP. Next set up a reverse shell at the port specified. Navigate to the URL and it will spawn the shell. In my case it was http://10.10.10.185/images/uploads/inception.php.png.
The following should be noted:
- I had to upload the image again if I lost the session.
- .PHP.PNG is required. I could not get above (or any other oneliner) to work without .PHP before.
After getting a low priv shell I use the following command to get a more intelligent shell:
I think went looking for database/config files for the website for escalation:
Inside the db.php5 I found the next piece of the puzzle.
With the database credentials found I dumped the database looking for a user or additional configuration information.
Found the creds for theseus in the mysqldump
I proceeded to try to switch to admin without success. Finally I found:
The next step was to get some persistence and do some escalation. I created an SSH key:
and used the
echo command to copy the key onto theseus profile:
I then logged in as theseus:
I spun up an HTTP Server (check BUFF) if you don’t know this part. I uploaded LinPEAS. I would also upload pspy64 here (spoilers).
From LinPEAS showing me that sysinfo is definitely my target.
Running pspy64 followed by sysinfo to see the commands being ran.
Again this part took me a long time but the best approach I can give is to create the file your going to be escalating with (in my case lshw as it was first) locally. Then use
WGET to pull it down.
On Parrot (create a file called lshw with below)
then create a listener using the port specific above (mine was 4444).
On Victim (pull, permissions, etc.)