Pwning Solstice! — Offensive Security Machine

This is one of the intermediate machine from Offensive Security Proving Grounds

exported IP as environment variable and scanned for services and findings as

OS: Web-Technology: PHP

IP:10.0.2.15

21 ftp → NO Anonymous access
2121 ftp → Anonymous access, but nothing interesting!
62524 ftp → Nothing juicer!!
80 http → Manual Inspection (Source Code Analysis)
* version → phpIPAM 1.4
3128 Squid proxy → /-
54787 http → /-
8593 http → Manual Inspection (Source Code Analysis)
http://10.0.2.15:8593/index.php?book=list

I then tried for Local File Inclusion and we got something!!!

Now all i need is also to check the logs also to verify further LFI , I tried connection with nc, don’t worry of 400 Bad Request.

Verified Local File Inclusion Vulnerability):
http://10.0.2.15:8953/index.php?book=../../../../var/log/apache2/access.log&cmd=id

And with that i used my encoded payload i.e

and now we got a shell

Making the shell more stable and enumerating the machine and found some service running on port 57

During enumeration, file name index.php have SUID permissions, so i edited the file as shown, what is did is , I gave find command super permission which further will gave us root privilege

And with that, we are now root!! with a root flag

That’s all for now!!

Until Next Time,

Stay Calm!

— — — — — — — — — — — -

For any query/issues, feel free to ping me

https://www.linkedin.com/in/user-neeleshpatel/

--

--

--

Cybersecurity | CTFs | Networking |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Counter Parallel Twin-screw Extruder

Counter Parallel Twin-screw Extruder

Becoming Customer Facing: A Guide For Technical Security Folk

{UPDATE} 网文修真录-文字放置修真游戏 Hack Free Resources Generator

::How To Do Man In The Middle Attack(MITM) with ARP Spoofing Using Python and Scapy::

{UPDATE} hypnose - simple hypnosis game Hack Free Resources Generator

My Journey Through InfoSec

Parkinson’s Law of Security Privileges (or The Curse of Least Privilege)

Asp.Net Core 3.1 Basic Attacks and Solutions

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |

More from Medium

HTB Optimum — Easy?

Hackthebox — Devzat Walkthrough

DHCP Writeup | TRYHACKME

How To Transfer Files From Attacking Machine To Target Machine