Difficulty: Medium Machine Creator: lokori Tools Used:
NMAP Gobuster Burp Suite Python
Task: To find User.txt and Root.txt
Let’s start with an NMAP scan.
nmap -sS –min-rate 5000 –max-retries 1 -p- 10.10.10.91
The first thing that I always try when I have a port that NMAP cant determine what is running I attempt to open it in a browser.
The webpage does not show any useful information let’s use gobuster to find any directories.
gobuster -u http://10.10.10.91:5000 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40
XML External Entity (XXE)
XXE & LFI
Now that we have the structure of the XML we can hopefully do some Local File Inclusion.
When we run the python script, it returns a base64 encoded hash that we can use in our XXE.
nc -lvnp 1337
python -c ‘import pty; pty.spawn(“/bin/sh”)’
| When trying to find the original posting, I’m getting an error we need to fix this shell.
I was able to find an ssh key for Roosa.