Box Stats
Box Info | Details |
---|---|
Box Name : | TenderFoot |
Series : | TenderFoot |
Difficulty : | Easy |
Release Date : | 5 Oct 2020 |
OS : | GNU/Linux |
Maker : | Anant Chauhan |
Download : | TenderFoot |
Summary
This was a pretty easy box, that took me some time because i was using the wrong wordlists. LOL We start by finding a username & a password into a brainfuck code this give us shell as monica. First privesc is easy we just have to use a SUID binary. Privesc to root is about exploiting FTP with sudo. Let’s pwn it!
Enumeration/Reconnaissance
Let’s start as always with nmap.
1 |
|
Let’s start the enumeration with port 80, i tried lot of wordlists but only the big from SecLists worked! (takes some time)
1 |
|
Shell as monica
2 interesting stuff here first is the /entry.js
that provide us a username:
1 |
|
& /fotocd
source code has brainfuck code in it, i always use this decoder
1 |
|
Let’s base64 decode this and get shell.
1 |
|
Shell as chandler
Checking the SUIDs we can find a really interesting binary, if we run it we get access as chandler
:
1 |
|
Shell as root
Under .cache
folder we can see a note.txt
:
1 |
|
chandler can run sudo commands
& we have his password, it’s base32 let’s decode it:
1 |
|
If we run sudo -l
we can’t see the binary:
1 |
|
We have to login as chandler using ssh & we can exploit FTP easy:
1 |
|
Reading the flag(s)
1 |
|
Thank You
Thank you for taking the time to read my writeup. If you don’t understand something from the writeup or want to ask me something feel free to contact me through discord(0xatom#8707) or send me a message through twitter 0xatom
Until next time keep pwning hard!