.png)
5 months ago
27 BOOK THIS SPACE FOR AD
ARTICLE ADWhat do we do first?
We need to determine all constant values and save them on the shell. This speeds up our processes and prevents us from getting lost in the goal.
You can examine the /usr/share/wordlistslocation for other wordlists you can use.
Let’s go one step further and explore the open doors of the machine in front of us with nmap: nmap -sV -sC -oN nmap_result_1.txt --script=vuln -T4 -A $target_ip
-sV: Version detection to determine the version of the services running on open ports.-sC: Run default scripts. This is equivalent to using --script=default.-oN nmap_result_1.txt: Output the results to a file named nmap_result_1.txt in normal format.--script=vuln: Use scripts from the Nmap Scripting Engine (NSE) to check for vulnerabilities.-T4: Set the timing template to 4 (Aggressive), making the scan faster.-A: Enable OS detection, version detection, script scanning, and traceroute.This can provide you with a comprehensive report, but you also need to be a little patient because the answer may arrive late.
We learned that ports 22 (SSH) and 80 (HTTP) are open.
We also have some version information, you can scan for exploits if you wish.
Now let’s place the target machine in our /etc/hosts file and make it ready to use in our tests.
Then ping it to check connection.
Everything seems fine.
Let’s go to the directory discovery phase, use gobuster and check if there are other pages. You can also choose other tools such as ffuf for this.
Use it: gobuster dir -w $wordlist_dir -u http://ourtargetsite.thm
Or: ffuf -w $wordlist_dir -u https://ourtargetsite.thm/FUZZ -c -v
We discovered some interesting pages with this method.
Now let’s go to our destination and take a look at what’s on the /img page.
We might consider starting to analyze the images. Now let’s download these files to our local.
Time to dive deep! We need to inspect these images.
We can use it to check:steghide info white_rabbit_1.jpg
We saw a embedded file. Now we need to extract this:steghide extract -sf white_rabbit_1.jpg
Perfect. Now examine the file.
Interesting… After making a few guesses, you may think that this message could be a directory or directory scheme.
Let’s check!
It seems like it has a certain order. We need to check this theory of ours. Let’s create a wordlist with this layout and apply it for directory discovery.
We have the 301 codes, so we thought right… Now it’s time to go to the end!
Such a message greets us at the end of the order.
Let’s inspect the page source.
We’ve obtained the password for Alice! Remember that SSH is on. Now we can connect with this password.
Yes, we are inside! Try some commands.
As you can see, we need to increase privilege for some files. Let’s examine a little more.
We also saw other potential usernames.
Do you remember the authorization information we obtained with sudo -l?
From the output we see here, we see that the alice user can run the file we have just viewed using the python module for the rabbit user, using the above-mentioned sudo command: sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
We have a standard text before us. Let’s analyze the python file we have.
We need a privilege escalation method based on Python. We can use https://rastating.github.io/privilege-escalation-via-python-library-hijacking/
This method is called “Python Library Hijacking”.
We can create a random.py file ourselves and get the authority we want. We need to test that the theory is correct so that we don’t activate some firewalls for the wrong method…
Let’s try.
Yeap! Now it’s time for the real method. Design it again.
Run again.
Did you see that our user has changed? We were successful.
We need to go exploring.
There is an interesting structure called “teaParty”… It’s time to find out what it is.
It looks like it can be run. Try.
It is gratifying to know that we are right.
No matter what we write, it throws us out. Now let’s check the content and gain additional information.
Interesting… There is a “date” information returned in the file, but date is not defined as a path. This program, called “TeaParty”, uses a command called “date” to do things related to time.
Time for some deep thinking! We can find the directory where we have write permission by going to the main directories.
As you can see, we have permission to write to the /tmp directory.
Let’s go to the /tmp directory and create a date file.
Now let’s change the “PATH” constant.
We also manipulated PATH now. Now, our favorite step is to authorize the file and get what we want.
Then run it again.
We have successfully passed another super stage! Now let’s deepen the analysis.
We discovered a password. Let’s try connecting to this user via SSH.
Login successful.
Bengali (Bangladesh) · 
English (United States) ·