Vulnhub – Infosec Warrior 1 Walkthrough

Running nmap –A –T4 –p- -vv

Running dirb we can see we have a file sitemap.xml

The page sitemap.xml got this line so we need to edit our hosts to be able to access it:

In the page source there is a hidden code cmd.php and the mothed is GET … we need to change it to not hidden and the method is POST, we going to do this by viewing the page inspect elements:

A post box will show up in the page where we can view the passwd file and other commands can be used:

Using cat on all the files till i found something interesting inside the file cmd.php itself :

So now let’s ssh to it using the user name isw0 and the password 123456789blabla

Ok we have the user flag, let’s see what privilege this user has as root:

Ok the /bin/rpm is the only SUID that’s going to work, now according to this site cooolis we can exploit rpm using this command sudo rpm –eval ‘%{lua:posix.exec(“/bin/sh”)}’

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s