Vulnhub – Infosec Warrior 1 Walkthrough – Hacking Tips & Tricks – Labs Walkthrough

Running nmap –A –T4 –p- 192.168.1.10 -vv

Running dirb we can see we have a file sitemap.xml

The page sitemap.xml got this line http://infosecwarrior.com/index.htnl so we need to edit our hosts to be able to access it:

In the page source there is a hidden code cmd.php and the mothed is GET … we need to change it to not hidden and the method is POST, we going to do this by viewing the page inspect elements:

A post box will show up in the page where we can view the passwd file and other commands can be used:

Using cat on all the files till i found something interesting inside the file cmd.php itself :

So now let’s ssh to it using the user name isw0 and the password 123456789blabla

Ok we have the user flag, let’s see what privilege this user has as root:

Ok the /bin/rpm is the only SUID that’s going to work, now according to this site cooolis we can exploit rpm using this command sudo rpm –eval ‘%{lua:posix.exec(“/bin/sh”)}’

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Google account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

Related

Leave a Reply Cancel reply