Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this lab were:

Vulnerabilities:

The following vulnerabilities were found:

Information Gathering:

Starting off with the usual Nmap scan, I performed a scan for service version detection, OS detection, script scanning, and traceroute.

Image for post
Image for post
Truncated Nmap Scan
Image for post
Image for post
Truncated dirb Scan
Image for post
Image for post
Nikto Scan
Image for post
Image for post
Default Web Page
Image for post
Image for post
/rooms-suites
Image for post
Image for post
Rooms
Image for post
Image for post
Parameter Tampering

Foothold:

Seeing that I could tamper with the parameters, I decided to use sqlmap to determine if there was a database; where I could utilize SQL Injection.

Image for post
Image for post
Database Discovery
Image for post
Image for post
Table Enumeration: mysql
Image for post
Image for post
Table Dump: mysql
Image for post
Image for post
Banned
Image for post
Image for post
Table Enumeration: hotel
Image for post
Image for post
Table Dump: hotel
Image for post
Image for post
Shell
Image for post
Image for post
cmd.php
Image for post
Image for post
Upload of cmd.php
Image for post
Image for post
Upload ofLineEnum.sh
Image for post
Image for post
/cmd.php
Image for post
Image for post
Python3 Reverse Shell
Image for post
Image for post
Connected Reverse Shell
Image for post
Image for post
Upgraded Shell

Privilege Escalation (Pepper):

With the foothold firmly established, I decided to enumerate the target. So, I went to the user directory and reviewed the user.txt file.

Image for post
Image for post
Permission Denied: user.txt
Image for post
Image for post
Image for post
Image for post
Forbidden Commands: simpler.py
Image for post
Image for post
Incorrect Script Execution
Image for post
Image for post
Correct Script Execution
Image for post
Image for post
Reverse Shell: Pepper
Image for post
Image for post
user.txt

Privilege Escalation (Root):

Having obtained pepper’s privileges, I decided to further enumerate the target to determine how I could privilege escalate to root. So, I ran LinEnum.sh and reviewed the data.

Image for post
Image for post
Truncated LinEnum.sh Output
Image for post
Image for post
Exploit
Image for post
Image for post
pwned Shell
Image for post
Image for post
root.txt

References:

https://gtfobins.github.io/gtfobins/systemctl/

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store