You can find the machine there > HA Narak
Summary
This was a pretty interesting box, we start off by generating a wordlist using cewl and then brute force webdav this will give us shell as www-data. We find a bash script with brainfuck langauge in it we decode it and we get inferno password. Privesc to root is MOTD exploitation. Let’s pwn it!
Enumeration/Reconnaissance
Let’s start as always with nmap.
1 |
|
Let’s start the enumeration on port 80 with a gobuster
scan:
1 |
|
/tips.txt
says this message: Hint to open the door of narak can be found in creds.txt.
probably this will be useful later on privesc because now there is no creds.txt
/webdav
asks for creds:
Because i have experience with HA series their boxes require cewl
lot of times, so let’s generate a custom wordlist with cewl
and do a brute force with hydra:
1 |
|
Shell as www-data
Perfect, a few words about the webdav.
WebDAV is an extension of the HTTP protocol that allow users to upload,download files on the apache server. I always like to use Cadaver
as WebDAV client. Let’s login and upload our shell.
1 |
|
Let’s execute it and get shell:
1 |
|
1 |
|
Shell as inferno
Let’s search now the for creds.txt
file:
1 |
|
If we base64 decoded we can see the creds we found before:
1 |
|
If we move now to /mnt
we can find a bash script with brainfuck language in:
1 |
|
Brainfuck is an esoteric programming language, let’s use this decoder & we got a password! chitragupt
This password works with user inferno
we can use SSH now to login in.
1 |
|
Shell as root
Under .cache
folder i found a motd file, that’s a hint for privesc:
1 |
|
If we go to update-motd.d
directory we can see that all files are writable. So let’s simply add a command that changes root password & login in again.
1 |
|
1 |
|
Let’s read that flags:
1 |
|
Awesome box!