We will start here:
When VM was ready to go I started a quick enumeration:
In the meantime I decided to visit found WWW. Below you will find few results, for example:
I also decided to look for robots.txt file, and this is what I found:
Let's visit mentioned file:
Now we are here:
Let's try to add this header using curl:
Cool ;) So I modified Burp's settings to add this header to every request I'll send to webapp. Checking:
Good. Now we should be here:
Checking our new created user:
So far, so good. As you can see (below) I tried to check some other user_id. This is what I found:
So we are able to enumerate through user_id. This way we are able to check every user(_id)'s Profile-section where we can find 'stored' password.
(I'm wondering how many of you remember Revelation v2 ;D
Anyway..."today" ;))
We can use Web Developer Tools to Inspect the Password field :) See below:
When we remove disabled attribute:
and then intercept 'change password' request in Burp Suite:
This is how I grabbed all other passwords (for users I found):
Short summary is presented below. As you can see I started from the 'last found user' - alice:
Well... ;] "That escalated quickly" ;)
So next thing was to check what's inside this OS. I started from ls -laR in /home directory:
Let's see the flag1 and note in my_notes.txt:
At this stage I prepared LinEnum.sh script (in my Kali VM) to download it to target box:
Checking results we can see that there is some opportunity to escalate our privileges:
I decided to download revshell (by pentestmonkey) from my Kali VM and prepare a meterpreter in other console window. Results with sudo you'll find below:
Checking:
Ok, let's grab the final flag ;)
I think that's all ;)
Brak komentarzy:
Prześlij komentarz