Persecure : my learning archive

, ,

Potato

https://www.vulnhub.com/entry/potato-1,529/

Review

  • Access FTP server to find for source code
  • Inspect port 80 and look for PHP Type Juggling vulnerability
  • Gain access to server and use Burpsuite to explore requests
  • Use LFI to gain user’s hash
  • Use John to crack hash
  • Check sudo permissions to gain root access

Enumeration

Run nmap scan to find for open ports.

Port 80

Run a gobuster scan to find for hidden directories.

/potato/

/admin/

Let’s check the FTP server

Get both files

welcome.msg

index.php.bak

We get some credentionals

Tried the creds but still same

Looking at the source code above we can see that it uses a strpcmp.

I found a clue online.

Edit and resend the request header with adding the array like this.

Access gained.

We are able to get files from the server.

Let’s intercept with burpsuite

Let’s use File Inclusion/Path traversal scripts to test.

Found the passwd file.

Let’s crack the hash with John.

SSH into the webadmin user.

Foothold

Access gained.

Found the user flag

Check sudo permissions.

No permissions in the notes folder.

Privilege escalation

Head back to home folder and use sudo permision with notes to gain a root shell.

Final flag is found.

Bse64 both flages to get the encrypted flags.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: