- Author Description
- Host Enumeration
- Squid Enumeration
- Nikto scan via Proxy
- Shellshock Bash Reverse Shell
- Local Enumeration
- Local Privilege Escalation
Author Description
This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. This vm is very similar to labs I faced in OSCP. The objective being to compromise the network/machine and gain Administrative/root privileges on them.
Author: @D4rk36
Download: VulnHub
Host Enumeration
Port Scanning
Service Enumeration
Port | Service | Version Detection |
---|---|---|
|
SSH |
OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) |
|
HTTP-Proxy |
Squid http proxy 3.1.19 |
Squid Enumeration
Inspection of Squid using the metasploit module auxiliary/scanner/http/squid_pivot_scanning
discovered port 80 was exposed via the proxy.
Nikto scan via Proxy
Nikto was configured to use the discovered Squid proxy:
Nikto disclosed the location /cgi-bin/status
, indicating the target could be vulnerable to shellshock.
Shellshock Bash Reverse Shell
Burp Suite was used to manipulate User-Agent:
to include the bash reverse shell.
A reverse shell was established:
Local Enumeration
Local enumeration of the system disclosed the file /var/www/wolfcms/config.php
containing:
Local Privilege Escalation
The previously discovered credentials worked for MySQL root, and were reused for the user sickos
and again for sudo
as the user sickos
.
Local Privilege Escalation:
Root Flag
Thanks for the VM :)