![]() ![]() Wordlist : /usr/share/wordlists/dirbuster/ Gobuster reveals a handful of new pages / gobuster -u -w /usr/share/wordlists/dirbuster/ -x php -t 20 -o scans/gobuster-small_php.txt Visiting returns the same page, so the site is built on php. The http page presents a simple login page: Nmap done: 1 IP address (1 host up) scanned in 12.30 secondsīased on the apache version, this looks like Ubuntu Bionic (18.04). ![]() |_http-server-header: Apache/2.4.29 (Ubuntu) Nmap done: 1 IP address (1 host up) scanned in 71.81 nmap -sC -sV -p 80 -oA scans/nmap-scripts80 10.10.10.129Ĩ0/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Not shown: 61053 filtered ports, 4480 closed ports Warning: 10.10.10.129 giving up on port because retransmission cap hit (10). Nmap shows two open ports, http (80) and ssh nmap -sT -p-min-rate 10000 -oA scans/nmap-alltcp 10.10.10.129 On the system, I’ll access an API available only on localhost and take advantage of a weak random number generator to sign my own commands, bypassing python protections to get code execution as root. With file system access, I’ll retrieve a Vim-crypted password backup, and crack that to get ssh access to the system. I’ll break the encryption to access pages I’m not able to access on my own, finding a sqlite test page that I can inject into to write a webshell that can access the file system. The website gives me that ability to return encrypted webpage content that Kryptos can retrieve. I’ll start by getting access to a web page by telling the page to validate logins against a database on my box. But it still layered challenges so that each step involved multiple exploits / bypasses, like all good insane boxes do. It brought an element of math / crypt into most of the challenges in a way that I really enjoyed. Kryptos feels different from most insane boxes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |