Vulnhub – It’s October Walkthrough

Start by scanning the target with nmap –A –T4 –p- 192.168.1.2 –vv

While running dirb i visited port 8080 and i found the page has a picture of note and when viewing the source we can see this:

So visiting 192.168.1.2:8080/mynotes.txt when can find:

User admin

Password adminadmin2

Now as i said i was running dirb and gave us some results, one of them is a page to log http://192.168.1.2/backend in with these credentials:

And we got in:

Now the CMS is php restricted, means we can’t upload a php pr php5 files, but we can upload a simple shell command on the site webpage, navigate to http://192.168.1.2/backend/cms and add a page and then we write a function inside it the shell:

And as you can see we got in, then we escape the shell by python3 -c ‘import pty; pty.spawn(“/bin/bash”)’  and then bash –p

Now using find / -perm –u=s –type f 2>/dev/null we found we can use python3 to priv escalate:

All we have to do is write a command and we are root:

python3 -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s