Revenge WriteUp
GOAL: Is to deface the front page.
#1 FLAG 1
PORT SCAN
RUNNING GOBUSTER ON PORT 80
Go buster was not showing me one file name app.py when i searched the source code and tried other dir bruteforcer then they showed up the file named app.py.
Contents of app.py
Route to /products/<product_id> is vulenrable to sql injection as the untrusted data <product_id> is directly passed to the sql query.
RUNNING SQLMAP
ENUMERATION DATABASES
Database duckyinc looks interesting.
ENUMERATING TABLES
DUMPING ALL DATA FROM A DATABASE
Here you’ll get the first flag.
#2 FLAG 2
OBTAINED USERNAMES AND HASHES
There is one hash that is uniques that is starting with $2a$08$ and username server-admin for the same.
CRACKING HASH WITH HASHCAT
My hashcat was not running properly so it took my time. This image is from another writeup.
These cracked credentials are access to SSH.
LOGGING AS USER SERVER-ADMIN
READING SECOND FLAG
#3 FLAG 3
PRIVILEGE ESCALATION
sudo -l
Looks like we can change the configuration file for service duckyinc
and reload the daemon after changing the file and can enable and restart the service as root. So, lets try and get a shell as root.
shell.sh
I created a shell.sh file on holder /home/server-admin which we will execute when the duckyinc service restarts
Changing the file /etc/systemd/system/duckyinc.service
CURRENT CONTENT OF THE FILE
CHANGED CONTENT
RESTARTING THE SERVICE
Checking /tmp/
And the file is created with SUID bit set.
GETTING A ROOT SHELL
GETTING THE FINAL FLAG
There was no final flag on the usual place. Our goal was to deface the website so lets change the content of the hompage.
CHANGING INDEX.HTML
And now if we check the /root, we have a new file.
CHECKING ROOT DIRECTORY
As you can see, we can now able to see the flag3.
READING THE FLAG
HOORAY!! SUBMIT THE FLAGS AND ENJOY!!