Pwning Solstice! — Offensive Security Machine

This is one of the intermediate machine from Offensive Security Proving Grounds

exported IP as environment variable and scanned for services and findings as

OS: Web-Technology: PHP

IP:10.0.2.15

21 ftp → NO Anonymous access
2121 ftp → Anonymous access, but nothing interesting!
62524 ftp → Nothing juicer!!
80 http → Manual Inspection (Source Code Analysis)
* version → phpIPAM 1.4
3128 Squid proxy → /-
54787 http → /-
8593 http → Manual Inspection (Source Code Analysis)
http://10.0.2.15:8593/index.php?book=list

I then tried for Local File Inclusion and we got something!!!

Now all i need is also to check the logs also to verify further LFI , I tried connection with nc, don’t worry of 400 Bad Request.

Verified Local File Inclusion Vulnerability):
http://10.0.2.15:8953/index.php?book=../../../../var/log/apache2/access.log&cmd=id

And with that i used my encoded payload i.e

and now we got a shell

Making the shell more stable and enumerating the machine and found some service running on port 57

During enumeration, file name index.php have SUID permissions, so i edited the file as shown, what is did is , I gave find command super permission which further will gave us root privilege

And with that, we are now root!! with a root flag

That’s all for now!!

Until Next Time,

Stay Calm!

— — — — — — — — — — — -

For any query/issues, feel free to ping me

https://www.linkedin.com/in/user-neeleshpatel/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store