Shocker - HTB - Key Points

August 3, 2022•93 words

Open port on 80 and a 2222 which is actually an SSH over deeper inspection (detect the specific port using sV in nmap)
Enumeration of the web server won't reveal much besides a cgi-bin directory, fuzzing for scripts returns a user.sh script
We can try and exploit this with Shellshock, using the metasploit module exploit/multi/http/apache_mod_cgi_bash_env_exec. This gives us low privileged access on the box
Running "id" we see our user is part of the lxd group, meaning we can immediately escalate to root privileges, as explained here
Merry hacking ;)

Subscribe to the author

You'll only receive email when they publish something new.

More from emacab98
All posts

basic-mod-2 - picoCTF 2022

March 31, 2022•106 words

import stringalphabet = string.asciiuppercase + string.digits + ""code = "104 85 69 354 344 50 149 65 187 420 77 127 385 318 133 72 206 236 206 83 342 206 370"words = code.split(" ")result = ""for word in words: module = int(word) % 41 for i in range (41): if((module * i ) % 41 == 1 ): result += alphabet[i-1] breakprint(result) ...

Read post

Nunchuks - HTB - Key Points

August 13, 2022•336 words

Open ports: 22, 80 and 443 after a super quick scanCertificate from 443 reveals a domain, nunchucks.htbSubdomain enumeration reveals another possible target, store.nunchucks.htbThe store has a newsletter subscription function that reflects the email address provided. Using Wappalyzer, we can see the website is running on NodeJS, so let's look for SSTI on NodeJSHacktricks suggests the following payload to try out: {{7*7}}. This should return 49. It is the payload listed under the template engine ...

Read post

Shocker - HTB - Key Points

More from emacab98All posts

basic-mod-2 - picoCTF 2022

Nunchuks - HTB - Key Points

More from emacab98
All posts