### 120 Okay this one is definitely the hard one. We may have missed some ports when we scanned… redo A full port scan shows us open ports on (the scan takes a really long time) - 22222 - THIS IS AN SSH PORT THAT WORKS! - 60000 -
Rough Steps 1. After recon we find a robots.txt.
Inside are 2 files, tracertool.cgi and toor_shell.cgi. Root shell
doesn’t actually work but in tracertool we can actually use the bash
eval command in a limited capacity. 2. Durring recon we
also used dribuster to find other directories and there was also a
/passwords/ directory. Inside is a flag and an HTML page, and commented
in the HMTL is password: winter. 3. With the access to an
extremely neutered bash eval command prompt, we can actually use
; cd /etc; head passwd. The reason why we have to use
‘head’ instead of ‘cat’ is because the cat binary is replaced with a
script that prints an image of a cat to the screen instead. 4. From the
output of the passwd file, we see that there are 3 users, Summer, Morty
and RickSanchez. Assuming Summer’s password is ‘winter’ we can login to
the FTP server as her allowing us to dig around a little bit more as for
whatever reason, Summer is allowed to change directories to any of the
allowed system dirs. 5. We can SSH into the box as Summer via port
22222. We get use strings or head on the file of 6. We copy safe to
Summers home dir.
Facts - Summer’s password is located at 192.168.1.120/passwords/passwords.html in the HTML source - Morty has 2 files in his user dir, “journal.txt.zip” and “Safe_Password.jpg” - Rick has a few things, as dir named “RICKS_SAFE” with an executable file named “safe” as well as another dir with basically nothing in it. - The password to “journal.txt.zip” is Meeseek - The password to ricks safe is 131333 - RICKS PASSWORD: P7Curtains
Connect to the smb server and join the share$ share. The admin allowed access to all of the server files. Through this we find out that there is a wordpress page in the server and inside there is alot of lines of text that read “My name is togie”. Inside the share$ share oyu also find that there is a /deets.html file with the password “12345” in it. It took a minute to connect the dots but you can SSH into the server as togie with 12345 as the password. Togie is the admin and therefore root privilege is now yours.
Java RMI exploit. see the vuln assessment for more
exploit manageengine_connectionID_write
exploit - drupal_coder_exec luke_skywalker (root) pw: like_my_father_beforme