Pwning Solstice! — Offensive Security Machine
This is one of the intermediate machine from Offensive Security Proving Grounds
exported IP as environment variable and scanned for services and findings as
OS: Web-Technology: PHP
IP:10.0.2.15
21 ftp → NO Anonymous access
2121 ftp → Anonymous access, but nothing interesting!
62524 ftp → Nothing juicer!!
80 http → Manual Inspection (Source Code Analysis)
* version → phpIPAM 1.4
3128 Squid proxy → /-
54787 http → /-
8593 http → Manual Inspection (Source Code Analysis)
http://10.0.2.15:8593/index.php?book=list
I then tried for Local File Inclusion and we got something!!!
Now all i need is also to check the logs also to verify further LFI , I tried connection with nc, don’t worry of 400 Bad Request.
Verified Local File Inclusion Vulnerability):
http://10.0.2.15:8953/index.php?book=../../../../var/log/apache2/access.log&cmd=id
And with that i used my encoded payload i.e
and now we got a shell
Making the shell more stable and enumerating the machine and found some service running on port 57
During enumeration, file name index.php have SUID permissions, so i edited the file as shown, what is did is , I gave find command super permission which further will gave us root privilege
And with that, we are now root!! with a root flag
That’s all for now!!
Until Next Time,
Stay Calm!
— — — — — — — — — — — -
For any query/issues, feel free to ping me