Posted on

Inclusiveness : 1

https://www.vulnhub.com/entry/inclusiveness-1,422/

Review

  • Driectory enumeration indicates robots.txt can be seen with a regular user-agent
  • Use curl to bypass the user-agent with Googlebot to find a clue
  • Hidden directory can be exploited by LFI
  • Test out the LFI exploit by uploading a PHP webshell
  • Create a PHP reverse shell and upload to get a shell
  • Explore system to find a rootshell program
  • Edit configuration to gain root access

Enumeration

Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Most of the robots pages shows this.

FTP

Unable to find anything

Lets’ bypass the useragent with google bot in curl

/secret_information/

Tried to do some DNS enumeration but there wasn’t much. However upon noticing the URL of the secret information, I decided to try a directory reversal.

Seems that it can be exploited.

Since we know the FTP runs vsftpd, let’s search for a config file.

We are able to write into the ftp directory

Create a PHP webshell.

Upload it into the FTP server.

Let’s test the webshell

It works.

Now let’s enter a PHP reverse shell payload.

Encode the one liner PHP reverse shell.

Paste the encoded script into the webshell, start a netcat listener and a shell is gained.

Foothold

Checking Tom directory we find a rootshell.c

The file will execute a root shell if the current user is Tom

Privilege escalation

Head to the tmp directory and create a whoami file with tom. Then export the path.

Run the rootshell again and root access is gained.

Final flag found.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s