π±{THM} Brute
Last updated
Last updated
During my study, I just manage to do the challenge during weekend since my university block the VPN and it hard to get alternative connections due to limited resources. So, the journey continues again. This time this machine rate as Medium and be created by hadrian3689.
We start with enumeration port.
We try to login for port 23, unfortunately it does not accept anonymous login.
Let move to website.
No idea for this part and couldnβt find any interesting information from the website. But the mysql port might be something useful.
Let try put default username as βrootβ since it mostly applicable to all mysql, and try to brute force it using hydra.
We manage to get credential for Adrian, it can be use for website.
From the hash, crack it to get plaintext password.
Since we manage to get login as Adrian, the webpage only show this site.
At first glance, I notice fail login with username anonymous and time duration in my time frame which 3 minutes ago. HMMM. Let try it again and see to proof it.
Yeap, that true, that mean we can poison this log with command. Use basic cmd injection before proceed to reverse shell.
Since the command injection can be happen, let put our reverse shell and make it encoded once. As it will default go to main page. Enter the log again and listener with start intercept.
Once we manage to get access as www-data, now time to change to main user in this machine which Adrian. Unfortunately, we cannot easily read the user flag here.
But the .reminder file have juicy information. It mention about rules best of 64 and exclamation. Further reading show that it will give 64 best password according to text ettubrute
Since it mentions about +exclamation. It might be end with !.
Just add ! from ettubrute. Which it become ettubrute!
Using the hydra, let brute again the password for this user.
After a while, we got the password for Adrian, Let login as Adrian. (can use ssh or change user)
Reading the file 'ftp' and 'files', it show script which it will read every line in punch_in and will show it the console.
In Adrian home, we found 2 file which punch_in and punch_in.sh. Since the punch_in will be run by script and Adrian have permisision to write, let put our shell here
By using base64 encoded, the command should be look like,
On our reverse terminal, we manage to get as root.
In other ways, Iβm trying to practice the bin/bash suid, unfortunately this method not successfully being conducted.
Log poisoning.
Sanitize input for scripts
