View2aKill: 1

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/view2akill-1,387/

Walkthrough

nmap
alt text

default 80
alt text

robots.txt gives a bunch, joomla and defense hold nothing
alt text

dev holds backup files
alt text


extracted they give key information on logging in
alt text
alt text


looking at zorin we find an hr section pointing to new directory with a login
alt text

alt text

alt text

looking back at new employee onboarding file it tells how to login as chuck
just need to find two pieces of information found from /dev directory
alt text

alt text

we can login as chuck
alt text

looking back new employee onboarding file again we know we have to update cissp details
as they’re checked…i smell beefxss. setup and success
alt text

alt text

we grab the php session id and setup burp to replace
alt text

doing so we are now alice
alt text

easily find an upload exploit for this product
alt text

create the doc, set burp to intercept, upload, and change information to use php ext
alt text

alt text

alt text

reverse shell needs to be setup and quickly view the uploaded file before deleted
alt text

alt text

after revese shell we find zip file under jenny and her ssh password, successful ssh
alt text

alt text

ssh as jenny we find a python file under max profile that jenny can update
also how to find a directory under port 8191
alt text

simple python script created to create directories test
alt text

running python script to output file and using wfuzz we find interesting directories
alt text

looking at directory it we can execute the app and gives an output
alt text

alt text

output on web app is same as python file in max’s files
alt text

update python file to create bind shell
alt text

after running web app and connecting using netcat, we are root
alt text

running flag script we are directed to visit web page on 8007 port
alt text

root flag
alt text

Written on November 24, 2019
Share on: