Dev from VulnHub is a linux machine which was rated easy by the box creator.
Let's start with an nmap scan.
Command: nmap -A $IP
- port 22 which is SSH
- port 80 which is HTTP
We don't have credentials for the SSH so we will check on port 80.
On the website is just the default apache homepage, I checked the page source but I didn't find nothing interesting so I started a gobuster scan
Command: gobuster dir -u $IP -w /path/to/wordlist/
The only interesting result is the /wwwdev directory. Now, if we scroll all the way to the bottom of the page, we can see a username, f3dai.
Again I checked the page source, and I found some kind of a hint.
I had a hunch so I started another gobuster scan.
Command: gobuster dir -u $IP -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-words.txt
So for this scan I used raft-medium-words.txt from Seclists because it has the .git directory.
/.git directory
For this one I used the GitTools from github: https://github.com/internetwache/GitTools
First use the gitdumper
Command: ./gitdumper.sh http://$IP/wwwdev/.git/ ~/Desktop/dev
After this use extractor
Command: ./extractor.sh ~/Desktop/dev ~/Desktop/new
From the extracted file, the only interesting file is the cred one.
Now, you may think that this are credentials for SSH and you are note completely wrong, but first we have to decode the text because is encoded using Vigenère cipher and the key is slime.
Now we can login to the box with our credentials, where the user name is f3dai.
Let's check the user privileges, and we can do that by typing sudo -l.
Nice, we can run /usr/bin/git as root.
Exploit command: sudo -u root /usr/bin/git branch --help config && !/bin/bash
Now you can get both flags!
Comments
Post a Comment