Author: Agoonie
Date: 2018-03-13
* Target IP (192.168.126.131)
The VM is setup with host-only in VMware workstation. I identified the IP address with a ping sweep.
* Full Scan (nmap)
Used nmap for a full scan to discover ports 21, 22 and 80.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJzDeJ2-4iqBHQShWkfzQmcCiBcszP66OPXYOuN40tMnzRsuL3X_dPewYuIY34LcNMczgLZF2xalb0-IGeVS1xsVScKXBq6hOtecAUG4G_9A10RiG_XzB1qPPMgYqAIig_yiz368kf2kfK/s400/screenshot2.png)
* I took a quick look at port 80 to see what kind of web app was presented. I did not see much so I went to directory enumeration with DIRB.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje5eEcT82L6SO2gzKf-w4OK1YICnbUypLnTsTBRftjqxnaG6-NdkeaEdoZQnm-bvdJ2lWXdLCLUblzShADew0AQxRxYGMebYgJPpzSCL121RXGfo2ZTUfR5XlIolbHrnAHHn1_TQH-0WIM/s320/screenshot3.5.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoebzRLtkDRUXggoseb_bpFXjrZ-IhDCxpy_nS9BmcZUy1Ob7GuDHKN-myJ06xeZHhbOJ3TRl0BKT6zQ8Gv0TSw2nAT73e1BOeIk5s7yeMh288HnfIHVeDBg51nqFUU8sDFl_k1uXb2I9i/s400/screenshot3.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC_5rdFEJTPcbnsMb7Hqg29fBYT-k68JIgmWlRcB6R6fcEZRgkIfIW-m2Ao9ZZwQiy6P9VFFe7xBKlq6YiJP8ixJvBpOud0qpVtFSCVu0wQ0ms4dE-EnB0jowxUj09kiSY0cxvJKWXRq_o/s400/screenshot4.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH2N5UZfbTFom_qAR9SfXTPdA8oVTbvnyklqF8J_CnR7jNXK12mlYd9cBSsoAFlOQfXDHd_dHEowRiVzILxyirNbAZbPuB327iYrfLtolGnO0daOMHkCqNEmU04MJDzhZVOgTdfAH_udCP/s400/screenshot5.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJG3mXJCUlqArg_DuEz8hh7AB6SMMBjJzHcMHg4BCRQREnphffKjk7yYi4yDIgWRs12Y10L7TuP2wcx5xWKblv1TiuTnz5OR5snmNKeLAOP0Yj2Rq-XiT4GBhDp7S03y9pWoC1SjXj4Mz_/s400/screenshot6.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxwlUBlYKtMcrt3Ks4dWQnhHcH4ZAr3JN27oqMl-tcmSmy5ZTuzpLHNwWPEj_hYqef7CYI61y1Vz6OzcocHcF5v0rv-Nnh0GYzRVOU51IjcWAkUxFsL1de-Dhdh1JVXK8OfvIAnVDSQ2ji/s400/screenshot7.png)
Looks like there is a WordPress app in the weblog directory. Let's use the usual credentials to see if it will log me in: admin: admin
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhorXVQ6TeiGie4b8b_uTJVkLMBeoRH39J399bEeRktEgixKblNDo04niT19EfXhY6cx8sCzzHO9bEeOYEmZlcCnZfBMWuKzgydzFwgoicFfJ-U5upao4K7DoJCedW6Jw6H5U2Y0Ho5hjNZ/s320/screenshot8.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj800rxEYvQ_4Ub18OLvPDL5EjdsTcQA1U5NZygYdQBPElFDw_yJ3PDi9ey8Vg5TijS-3FtwL1f3thEy5NHNiLtN175_QPIfrz_mUq-vC3YhQKZlsdZFBaA5M6RMmKc53aVHmIDlIiAeV8Y/s400/screenshot9.png)
Ok, that worked. Did more searching while looking around in WordPress. Checked out more directories and did a NIKTO scan.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSw_78rvUGpfKORTLyRoeZSh38yk6BJ2hHH5kFamrGGETmDKPr02PofWbFIAbZbcE7NBnDXUPLECgRPJm8NrZPfeTIeMoXs9MJxAfX3P3qj1E-WJ1GCSS_QqpzkjqJ2rlQg4sasgfoKfgb/s400/screenshot10.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN7o3adp5DqxIscCFK-qRoEjC3q2w9Z_A_Yt8Yu2V5Rl2I6cXHf9Qvq2Ko81ZdfSie2ec1FzQBckPJyqe1YeFeiHATTB7AxxyFLitTBspRAff5qjp4BEOvishrpoD7OSTMItPp6yUzBIYz/s400/screenshot11.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqH1U6zsk9Y2vVha2w47buSCyUyQxhFI4F38iBpb4y08LV2SHIL3ovwVG90yzj-cDiV8139H-umMsb9Tc9Jsd0DED5x43qIPZs4YYvvXuoJT72fM_ZfkOxI0LFpSnimHKiAqt9a2G7qtdr/s400/screenshot12.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGWkqIMzN_QX9VOPsO6ZoSjOrLqeqBZH5kzaYzXpXQHYLTuyTCJtS9qC97UmjkcejVYZOAn7W7TuaHTq7DZ-h2PoFWlwU_GPMx_UZI99lfJkea4r-pOjG_1lO8Frfyk7Ou4CbnztnVDOXS/s400/screenshot13.png)
Ah, "try harder", still have nightmares. Anyway, trying more scans, I used the tool WPSCAN to see if there were any vulns for the WordPress app.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpXwJUhfVbDxwt15V88nKT5n4kagzbPsoW72-qMwYIeRC-0CoTwc-e7AiToS8We8q6NiKkSzgEcGYW6miOdVvMHChaCpw1nRDcp10pB-XYvGtnibeNOYbGSJlyc6tJgHWvSqKMiUIRNHF5/s400/screenshot14.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSjV1WD5OgMRJNT9jTS0KhEGcpnTa9l_IibSt3YaLG6Lq9bDix8HOJipeXt9XgrqrsJyuQI5A3ss3a53W_7vbR7etjHrr1QNiKuWWGbqq3q7mZJKq0OiUS12kXe661s8qeFknZvxjI52lI/s400/screenshot15.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-GGVwa_s4Q7A9QRLnxVNkiQ1PKNwm0yQskvJzXYSB8GNYB8fI7ZEqYVUR-2taNu-yB1ce0mjDC7XA97fo0j9CBeDI-MjJFQttxeWTmWGCXIjghihQNL82WntfYSdPDkHqL-EAxCrPk_vO/s400/screenshot16.png)
The scan picked up a Slideshow Gallery file upload vulnerability. I will try to use a webshell to upload. Once uploaded, I just need to start a meterpreter session listening on port 5555. I created a PHP meterpreter webshell using MSFVENOM for port 5555 and named it agoonie.php. I should be able to browse to it for the server to execute it.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirE_KGmDA2BzXF-ll8QSDmpp8dtKGyHsxEv6aPKRepZ4W-dZQG-1hH2Y1MXsX34afaRLT6HCi3WVbHxAS-A4BT4ekqLLFCb_X3bKaGkYXMofB30mpm7TWIiF5lujcKp9_-829_Sf24XXKU/s400/screenshot17.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpnopvYi8kaTmuxfOfoh1JxA7moPkZ6uRZiYz-qaT9VKgQEkEYN0t0NFULtx6b3f-4RY00I35WBwA7FouTeymvwgQQYeZ-YUKPSvLQv8LQ5VtMzb2ivqBlLLUiAOmN40URuQ2Rd5hrchvA/s400/screenshot18.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL1YVOSx8ssC9UTqlmzfPcuHn1kTu0FHj-D2_539MpaNDjk9lYaUjpM9LYI_USLRb__TvBR5AokmnbLUrb8V-trr-TNWGRgoDKQNBVqWth0uCiDRopgWVYyZWbLhryrQe1MNDvHDWQAKGw/s400/screenshot19.png)
Looks like that worked. Now, to find out the usual information about the server. It will help when I am trying for privilege escalation.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWS1ubDH7UCGL9uzOtf0S_uhMLfazdxxBX3AQZe5mSvwn_lhTwCxa2nDqMjC-Kjpcgt1V4B041UtKfDIhvVwvIeJMdaAC0JaBDYFii0zMHY1KVJGxMeSDQy5DDxSX0Nx6A7YFptDNGPH7I/s400/screenshot21.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje5akXb37RqaV3xsv8_NVmD1vxVzONuL72P5ghE5bGE_jxmhf2CQc1eP1fhMl3lzLi1NIUkrokIGSmDUuv3pFoo2srzQRrgut4IyAmvLsU_cgh9mOLKWzLgI5eIVJQe0hpq9q3JMukOnt4/s400/screenshot22.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmrP1fKqmeXyRQNYNqPKlS_D4mayxmDkUBCHAZQkUKEpaf_CnVoFytlsSfCZ60gDgXCQ_JcfPZ5gQB-C-NjG6qN3BlRvCdTiXqUoC1bj5D3xcLR1XJDkk21M9SiEG9pbSZKVMgnU6X1Q65/s400/screenshot23.png)
I can see two users to keep a look out for, stinky and mrderp. They have home directories that I cannot access yet. Let's look at some config files to see what credentials we may find.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifg16weYFfLh67CVL5JXSW-8n-kRLRTY7aBdSB7lvlMNLgYEbFwMRLusKAEaG2_I1U2MhsNCdiBD42cf77G5cIEaxf5oih9PHZcDSyeoSWJeAkoqbu581jBym5G8TWzlyUEiWp76WMLka0/s320/screenshot24.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjygcG9swoe9Z3yo4yYbacn15rI8AkOEIGnYa8qN2HH9i0aipdcHnXL97qH9QH4O2oPPHYvjlw6TfeRwEir9SumCixmegm0sQRSOqtDVTvB9-D7KmN3f1NRdR2HAU5A6ASGL1W_iaOjTvTb/s400/screenshot25.png)
We have credentials but they did not work for the wordpress app. Well we saw phpmyadmin and web have creds for that. Let's do the usual digging there.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPA3omrIts2JTYJAgkgJRanQ92ouAOTWeetMgTraNNidIcNLQ_K8nDfQIMzrI79QlFlemjh9GvkCDjaiGDv0k64que3zR6mAYeJ4TG8aA6-AzTZjv_EVbV7RGMENtWC6_mBjTzEz00-F6J/s320/screenshot25.5.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBeehLzovJX2k2ZeY8MWp-VI9u5xfrigV2w7909ZY9WoO2qpHX0Aothsv26tR59OkOwMUS1rfXmMsjqM3qg514wC5kJPNg3KQ3H0qwYVta337a0RoAosbAv4AQ9gMXeQ0NASdNNRPMPku1/s640/screenshot25.6.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK4ugx9lDDV2QJHzqGZK04RyAmcmfcSDFeWLobONl-iSY_2Eb3BqKN_PqYPAsxjXq8xccjNdcnkJLoM7ymrKWNUFPO-pW-Q35d-xtGxiho6da1ZvdEMVJG5EZkHSQUfubQ4dx4yj3VU3NL/s640/screenshot25.7.png)
I looked around at the tables and made notes. Let's try the root account for phpmyadmin.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGjJhpmmeegTCM9VcVDWbu3Qw_kaJs9X-UHesC4wnwILZ3q3du6I-kM1g9Vjg_UX-bXtZ_dL_oynyk3DUidKGBtixyRVY0qvp5xC4j_VS4TX3N2jMlSN6DE3eGvxn8l6MyRWv1uh-2b77S/s400/screenshot26.27.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis3PKI1BJbsYup6rMl-Fu6Nt9h9-IlEghOy9WEfTX0y4VPOgPQaoCU9jyNK8pxwcdouGBkUNHuLNh2IxhZnN-fajVQzhrGlG7VJ-ohimH8sqpgXOW6h7qGoL5uWQ9ZXTya237qEzUWDR1E/s640/screenshot28.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQQVqABuzUcues7wowPNGp9HfVZZ1HwGsm1Ta4FJ9x856bC66abYnd47sP8r4BXMu8n6vYTFgHSUCO8hFvvAViMjGNVx_0IxZ7ktK7mntehq0Hm1zqK3IntEIr97IO9qrzLPyrYLIkXbun/s640/screenshot29.png)
We have hashes! Let's try to decode for more passwords. Well, we have 'unclestinky'.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjblZM9_KepLAmEwSvssY9O5yCMIYb5mcwTOX2xc7AJ6fGWnUQRk_cLFTA41ZZ7k2xF503zZfbzgCeJR8ld7IhFrd-psRtwgwAmXkxxK06u9uPjZ-kxPK2MjpzTcvsvv1fiwa_gqnpE83md/s640/screenshot31.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEx1SdG7GfsxCv5dlF7Ig1MhC6TSb3cKHP610igmk_URMf4J7wmA0URYtyr5chYy0aJDewArp9bMBtfDjIrhfxAoIYIri-q_JEFg_2jq-5O0gOnyyHb5s4NxsJWcsgpaOGUjOySnD4cjFb/s400/screenshot32.png)
Well we have the second flag and it is Mexico. I could not get the second hash. Some day I will build a dedicated password cracking machine like the OffSec guys build. Some day ...
Example 1
Example 2
Example 3
We see more flag2 hashes. We have that one already. Let's do more digging around. Looks like more hashes. We have root, unclestinky and phpmyadmin to check out.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmTB3c7wmz-XcM_y_ZBiMALy0nq94u9L2-jdJyCQP3JMrpIQ4YX0mf9HWe7b7FfbfN282BZNgh0kXrzCYJlDVw6aBaPZB9Rh8su22bwjQkhsuxJLfyXMH4VPE7IGUtrkS3VpElu1CvPsLq/s640/screenshot36.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjf7bjTP-i1qjT4UkykymCYpmYrZbLWjDgPH9Yi028Yl3y2e63OIUQoXY0kOb1bccmNQWsNCI60fVMNECKmdJpuE12CbNr6Cr4Cpbh4o9RslxP_4Nc9_70na1Lcj112QC0wQI8J3RawbPO-/s400/screenshot37.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgwAtiOYoMqDADCEEoP1AA0rXE3Soudu-BupNoE6aZoXWPEk1AF-ev2s0CuBN02EsccxMOgZeYHjTuJTsDSshsroBhBbosyJBm5cN489cxiNGmMLpgsTWJqcd11JxcPea1vkmaFIoYPyTT/s400/screenshot38.png)
Let's try 'unclestinky'.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI9XCW_i865S1iP7B03c9peunxTh0lURIvO1kP-Wmc_wTurMSanxXxnD6ju2fmwgnc8sz9OUxsQsotzsmW-9BFiV7YSAeHcqZC8xMrLU4egnm8PN98xy-JePcItxJt3QS1SnMzwNJgx0g3/s320/screenshot33.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw3gv2aBcycHx8BAccsoKR4SPYe_ZKRHjqCtYmtz1ec4r7gasug7KRL75qK2ClBUOhmyc7w4sazL2RhNP8tUuknVk0kwyd-q-KlaRGdQ5Eh_8c8c3KJwgX_VxPBO6dLF62Xo0KVaSLKZaP/s400/screenshot34.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMOZvmj3FehDD6Atg54dQG1wtS9dyYsUC7t0uR6bJVezvyu_9WkZMW3nUq7cFbiq_K7H9WgazAe3yzvSSAlS_oDARRAMBlSCixVMJLnAGs1VMHvw3R4mRXW_gJZvRtcyvNlYPS8uSL_QKN/s400/screenshot35.png)
Looked around for new info. Nothing really stands out. Now that we have another credential for 'unclestinky', we should try FTP and SSH.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU6FKfzG7LgcPA82lZsXRR64rrTt3KaycuHkhQkoFKXRVZo_Y2gE6zuVFh9J5SFmJTU_6sAbVdjv3rJdHGBWCbxBXW8ZLoKiIPfSrE2Y9JDOReaX2H2Fwp4kFcjiSzXollPwwEBjAmzI5c/s400/screenshot39.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_cI7O-8QxEUfa82jhoh0Of2FuwUzk55f5Xu5F2RwDqHqcpiKWFJhu176C20b0UfcW-t5vvvzUEztO6-SlVZa-sZpiNJCks1qh1y8mNgnLdBN7yTA3DXtdC-9mFFkU8KqTw1XFxFmkCRvD/s400/screenshot40.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN_iNG_pWLIaifttmbIGdUnJ8n7M-UB9D-Ht-d97I-WzOtcAIm8bfTW0Xmib01aDRarUg_2YTrwhdAvJQTDyvLifoXOI4JzmWAnf7YxRrB8hgUoTHEcoCus7deWgWMceG-dCb7-teM5unL/s400/screenshot41.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiyHtD9ZMCDj4YnE5b-D6zk6WqO5FMAr0YqZxi5Osqgh5Q_ac8arrcE46ODajcIcICqrMVMmZrMSezohZMevKs0bAQDHqY0rtqe2BghAIhX-GKXjTDZ_ms_LelZqANDWJey00U316G0Lr0/s400/screenshot42.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbWVYfUPdBEKKXNzxwbPW7DObV99AzJX5ARUSj6zzzmYfDGC9tgVhpswhddEhHAY8gZLCK53yALNGeZwmLI-wDNzrgAj3UpN4cSYLkt8DOw2v3W-nyxDtdSlvLAP3-2MT02DClgY15v-_n/s320/screenshot43.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOmBGqROqRIEEPJ0vdfqRe9OimUzl81lnRlJCW1ikU54ur0QwjJmCDca_7Envio5wXZ0OSp3MWxnnZ08ugGxFTbEeT3JtXKSDabiBCQ8EJAQe_8ztnSWJJ54A0edX4QmA8t_c8tulCm2lI/s400/screenshot44.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG5OQ9hdrJPoDqPWNGYQfdkmS8lbhqzFhSou2WC7qAG8EKpl1sLcofiTsgeg1a7iTAg4gsfTP8_yF_AZ_sShohyR1Fjw-BaQs6vH3cmq7OitIzwncX19U07pGnKfeL7Ui-vtgdelaivMwB/s320/screenshot45.png)
Ok. Checking out the files. Looks like the credentials belong to sysadmins. That's good. This key seems like the SSH key to log in. Of course, still requires a password so that is fail. Well, we know there is a packet capture somewhere that we need to find. Let's go back to our meterpreter session.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7XlU1cRiS-SyGCxek8J_Rjsi6hiBxMw-TV3AIuGAmoC2AGBHQEz5qnOYe4h0NFff4-23RQexFcbGWtaVPtWAXQmTqqGkLykoY9PmoZ4l04uVB2BSh7y6MiokCaY1tA_xfT8zT6RxvkAwv/s400/screenshot52.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcGJhgyH8oLbnqB5PovwAXr9aKqGmJOD_CXn7XFLAnLTV0iLzViFRMU-a6IuF6SLNUVR0Logs-uGBI7SniWSrRVUTGd8khD1z9rfAbT_jhm1Pn3rkn6xpyIHoQOpAu31TmzZ6dTxUmhbF6/s400/screenshot54.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKhqvpMhtUi3MSTN2kTNYljV63AeOsgVLVUu08ztpUBvkw516oWyPDCZlaAV1iKZHkEZg0vpSKlzkeUPBK867Wljw8I2wji3QDhKTqayKTkwZKgqqfKBPWDXTCVn4_PCeDeTPdtmtYtghp/s400/screenshot53.png)
Well, let's see if I can just switch to stinky with the creds.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjotlSmvJwTV-JvCaMbkUH7qCDRdIkbP3ldoCoWsfJd54zFOXQjVRLe_V9TJDsM69h6rrPoah0WQi0sybk9uhC38Z_hAWpgMrJAb3oFYSG_BxoIIhNABPbUpxhAbRCZNQcvR7YMSuL2VTkK/s400/screenshot56.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0aQuwT8_0FxktDoxoY_DvMaLH4cg3_2wagPbIcNkusw5GINdsByvXqZeXfJbmlqKLKx4BWoc4DpckjeSNnvtpXMY133KAwAv5rM-Cp-fr-FCPmqX5iCNKWAEzuZdVn5OfQi5jsx9dkzG_/s400/screenshot57.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqoLomTeMKX-L_3faAoElIUkO4B5JOjojrn6Ye5EXeCJBLwbj-I3KB1wt23hAuyG6JfAFBUvxw-SfSibQbovo9Ry0vjbtZL7fl00xgjaI5O9IzPrH5CfKL4uGBzx7pKSl6aNg-6IEfnn9P/s400/screenshot58.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF1G1H90CWu-WbZOk-kxKjwWqMG2ig6rnVDPFNpbUeEv0GlV9MVwoB7m3d9C39ZhezEMO4xvewBS8j_gehCvNPldXCF5-jAWVFBrtXEk7Mx974JsolaLPMNPjeN2UXhuF9Ih50JhndDvVr/s400/screenshot59.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFV6YU9jtnAIqhXkTjndHLxzmGetQ7WVfsa5NIMJU6-zQt3ODvxrvDqvp7LHFjr2lO9gjKgFrJK7HSjztArbFmJOjaGF3uBuh4Mykx6KmIPp_dTlN0Xq0rLpocb21BsMViWX8LVZcGhsY0/s400/screenshot60.png)
We have our third flag! Well take note of it and keep digging.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUjYaAG57esgY_eMBOx8UqL_RUX5TSQppKZdnNEs-5U0N9t_VT75LOlQGMIIW1deSKbuaCIgiO4wfu14W5lE5KMFOMhOv8Aty9f1wmks6LUjsit4UrwKM6562r78LXKkfdel4gaOzfKhLu/s400/screenshot61.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfbCPMkw8vzfd4gEZGsMR_FClIH3E3ZY-ZIGBHlO6ids3Qd5qwckYf2fujaDE6gd4ygDvhOG3436myXqLuHhaRgOKXharrbjz3SwFvx-JCsEezzwoCitW1gkG4k6ptwBunCVoamJzfjU1d/s400/screenshot61.3.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUFcKeElRS8G3v1ohQNAfXe-glX4qOylpXHGVptfmg4e7VXnDL0-ky9dEFnP_SKMYkPuev5OjPhtWPr693-BdvmswXOMhRfg_56T7LJwPYZrTDTx9SPFFVWp_8Fa51PVWU2aWrpnIOf2tF/s400/screenshot61.4.png)
Oooookkkkk, so wireshark captured the creation of the mrderp account with its password, derp x 7.
Well, time to switch to mrderp??
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV7HeV_OxGTDU2I-Uk6BxyUZEglcofeBt8-lnCsZLRUpkN3WxCL5Bqw8CUfXTZX6wKV1lpXiVgg3EqnciyRnJFq_MmGpttS_V_QNYTjgCOujFc7zM5Bq9yTNpUC4x0_JNmBvOJI1btkrTZ/s400/screenshot62.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit_p65dAUmWIxK79zja6v2s1ugcNMhBTKSma5OMJKlnkOoHQ0NUCW04NI1ecUeqisyKsbMM31EMX2NSbfFiZxfXkahnVuP8NUEzVnLV95h8XbYxO7ERTxUXRNxE0EktHzp3B7Kiq_ZETlU/s400/screenshot63.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt_n7Kx0hb5cW2SM-DxryUeLrUwHwjdtB6b24oC3YGu-BDU0CYynHNVAJGOu1lmTLIsxZbR2xVk7GDp2orqhqP4G-r_lRHTruQbwiiLDRw7EPoNB6ILdNRprffRVZeh99MEZouPbEIhmvn/s400/screenshot64.png)
Hmm, helpdesk.log has some info sudoers. Let's try the helpdesk log for mrderp pastebin URL ( https://pastebin.com/RzK9WfGw )
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxc-XWTkpnHs6D36iuWs8pWyUQDkLrq7mbEDV-qSp6rTDjS05p2eL2ntlSGKN0K0hTXQDSQbTUK9wpk3rBmleQAYW6AH6aWGIiHdxbpttMkBFU5zg4McUhhS0RGeRf7Rf_MomfY9Hpq7Es/s640/screenshot64.5.png)
So the user can sudo as long as it is coming from a command in the binaries directory. Wait but there is no binaries directory. Well time to create one.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho3eV8Z7tdObVBurBHCPThoCjdmJF-eYdQXvNGYXev1HobhWLU_6fPjuB-8DeCdvd7NY7uIiSCfdwBOxWyHlZwtwgA5qqvHbyVFWVPW5mX1lif9A4TKFZmLvuqiWzJjCGopd3Y8y8coeQH/s400/screenshot65.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU11m4le6x8AroTz78nmeWQ5QDKDcW4CK7yITNmgfbFA0wx9jwC4OfD3dfTqvG4YIj0UUnwaHnX0mg9cK9WHuPb6KDh5UlyXFevQUW9uzTEp3ZlpI36UhqNChoiAnSbEDW3ozPkgMODG7G/s400/screenshot66.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLJ28orAnGFWdB7W-5LvCF4Fbrs3VZdxiS3blAUjXcdEBHGy8OtptIhzWM-d_PtgY6BpWMGeJ53WuduCCguO1xwwBtGmGpLpCBiJnKpOT1em8xqIQcZqqBDs7e5OOwpn8zREsMq-U96Dop/s640/screenshot67.png)
So we have the directory created. Time to make a command to sudo. I figured just make a command to open shell which would have root permissions.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgM287vJWdSJ4lcLgeov4rqRHDkX485C0VKkiLzBgaY54vnXo6m5ok4aWdV9gm6anxfKIsKsigdIFeizmuDevYTZra7SsS4-fRLgjhoM0HSQ3KQJoYLp78LqQd2Z1tO79vMTasyeBvMITW/s640/screenshot68.png)
Alrighty, command set. Let's sudo! We have root anddddd the fourth flag.
Well, if you want all the flags decoded. Here you go:
flag1(AB0BFD73DAAEC7912DCDCA1BA0BA3D05).
AB0BFD73DAAEC7912DCDCA1BA0BA3D05 md5 flag1
flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)
http://md5decrypt.net/en/Sha256/#answer Mexico
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb sha256 Brazil
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd sha256 United States
No comments:
Post a Comment