You can find the machine there > Chili
Summary
This one was a pretty tricky box that i enjoyed a lot! Is easy but you have to think smart. We start by brute forcing FTP this will give us access to all system files, we search for a writeable directory under /var/www/html
and we place our shell there. Privilege escalation to root is easy, /etc/passwd
is writeable. Let’s pwn it!
Enumeration/Reconnaissance
Let’s start as always with nmap.
1 |
|
Port 80 has nothing interesting, i checked /robots.txt
i tried directory brute force with gobuster with lot of wordlists but nothing. Anyway i checked the hint that maker provided on vulnhub page If you ever get stuck, try again with the name of the lab
ahh here we go, let’s brute force FTP using username chili
. (takes some time)
1 |
|
Shell as www-data
Perfect, we can login in as chili:a1b2c3d4
. I enumerated the system but there is no SSH so only 1 solution left if we upload a shell under /var/www/html
but isn’t writable. There is a hidden folder under /var/www/html
that is writable:
1 |
|
Let’s upload a php web shell under .nano
and make it executable.
1 |
|
Now let’s execute it & get shell.
1 |
|
1 |
|
Shell as chili
We can use the same FTP password to privesc to user chili now.
1 |
|
Shell as root
After some enumeration, i found that /etc/passwd
is writable. Let’s simply add a root user in.
1 |
|
Let’s generate a password:
1 |
|
Now we can add our user in.
1 |
|
Let’s read the flag.
1 |
|
Lot of fun!