We will start here:
...waiting for enlil.py to finish the scan:
Checking www in the meantime:
Found hidden link, checking:
Ok, some manipulation is definitely possible:
More:
I tried few payloads using Burp and I found that we can use filters from PHP to include files:
So far, so good. I wrote a simple 'file grabber' in python:
Results:
Next thing was to find the user who is able to use the password:
Name of the author of the page was a good idea to try:
Found flag1.txt :)
Next I used LinEnum.sh script to enumerate the box (a little bit more and faster than I done that manualy ;P):
Ok, we got some emails :)
More:
Ok, looks like there is a flag2.txt:
Great, now:
That's why I couldn't grab files like 'admin' or 'backup'... ;>
Secret file!
I was looking for some other files of devops user:
Interestingly there was an antivirus.py file:
More:
Preparnig msfconsole:
More:
And we got the session:
Checking flag2.txt file and sudo -l:
More:
That's how I found a nice post about privesc using pip - you can check it here:
Checking some info about the AV:
So now we are here:
Great! Checking the flag:
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz