# Europa

## Europa - 10.10.10.22

### Target Enumeration:

OS: Linux

IP: 10.10.10.22

User: 2f8d40cc05295154a9c3452c19ddc221

Root: 7f19438b27578e4fcc8bef3a029af5a5

### Ports / Services / Software Versions Running

22/tcp  open ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

80/tcp  open http     Apache httpd 2.4.18 ((Ubuntu))

443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))

### Vulnerability Exploited:

SQLi Authentication bypass

### Privilege Escalation:

Misconfigured cronjob

### Exploiting the host:

Nmap

![](https://lh4.googleusercontent.com/K3fTfyK7E0FUfDo2anIjF2akTDiefj7c2n7EIqzDBwMUQ3uf9eZJ6fS_WuHaXbxXtEQEQNPF_zrORoTkFq5Xvq0LjlkPi1xHMa_QF8ZoJg_hSUl0ysO0jJcTRr6ZLkIv3aGOpiXh)

SSL certificate gives us a new domain so update hosts file:

<div align="left"><img src="https://lh5.googleusercontent.com/Kb4FQsIspy_j74Sef1r5Wm0qT_zT_etiU0NbxT1KpPafrLW7GfSgKOOuBrjTwH7PGghcm7rHsoYz1UX6W4oZHAseDRXWK2k15Z4xEtbG0UZKOFuUQMpgSSiOvA9dxpxyQYo8cyE4" alt=""></div>

Visiting the site gives us a login page.

![](https://lh3.googleusercontent.com/0PuCg9T0koyFn-OJFe8AaF7WhIVNZ1DxeWRT6bjCVYhbdwEFa_K0CV1KaLJNljgKaCI3x9ojAiEfcpuarARQA8mGatRvEzE9kw_o_tDJ-LkFMaBRoqZXUdXTLwx1xzcxpgbLbYpc)

Capture a login with burp and send it to the intruder to be fuzzed for sqli

![](https://lh6.googleusercontent.com/YOcRHl7rWqAtoLeIGaJQpJ8cXavnXXkHc89Iqsd4kLttr7vvby1LKApluY9XkWLnntxXKJkNLsC5iKMG4TE9m8tB15hdS5xxmr77OISplv0wS-i8VTOCCp-PY-VAUdf0VWhDhuNP)

Can bypass the login with an sqli payload:

&#x20;![](https://lh6.googleusercontent.com/BcCcXyIgUWvLEp96VGzbZ7oDfMoms_tcjH0FB3z-XbCO8rHtT14Rk130K04gBp9WZKTx4-7-gj461Gv6l9fxyC03xjVnEDKO1jSct7LBQu5bFBfxoS06STFRcYL1UrWiPTVTySad)

Request this payload in the browser and we are logged in

<div align="left"><img src="https://lh6.googleusercontent.com/MIbaNuYBtL9ygddf6QuNfbRFJf9sIYaKua73qNXdSabUE1wloJt4d3PK0N63SkdoeX7ckUTILuh8JCfv7cFzr_u90pGM2OoXuwAENr79kqu60ER6chgwoBDBmkRhDcb3r4crfQC3" alt=""></div>

Under the tools tab you can generate a VPN config file so test it for command execution.

Eventually we found it is vulnerable using the following command:

![](https://lh4.googleusercontent.com/_bL-zPrEks2esw0y26yAzXFu-Za6eV_MWxxIEfwPIRZM81lcCBLUK4SVKVjM3MneZ_XstNAUODfDDyxYJAGfVapDbfY8iFtlWIAV67IS2eUxTxNOZ2c19py1WVyGVNpmETj8Lf56)Successfully hitting our server:

![](https://lh3.googleusercontent.com/6hsg5tnCR1UIhxWLzJi0Wfj2YtC1cHoSvVF1_xyThvUNzNhoES3uVHf8lqTKHyZl9u_kgNTQzSSH6ilscX-0WQ45Ow_gXZ4RAjA8KrwGIxdsZxJAhupNPzl-yjV6asFh-GiDM3d2)

Generate a php reverse shell with msfvenom and host it in the webroot

Generate a reverse shell with nc and URL encode it.

<div align="left"><img src="https://lh4.googleusercontent.com/ouwc90InSKVg8evhd9BTr1hgBCZTu_qKPxOHYx82nWNyeFQ8N_RGVW3EmUQt8Bsg0ifTsdancz7hwgpIkIry2wk-jrSJJRqwNgtrTXmr--0zPaJM0afwZKD38dFISlcpuj2lSPn0" alt=""></div>

Shell spawned on 443

<div align="left"><img src="https://lh6.googleusercontent.com/Q05azu5nTPw9cIiA_nwLxYYpgsQrjds4edZcMAc9_n7XDkx53PouAsGsY2vA_lY_pdgE0gUeXrfnuEOkNq3cX-iXns5KEf4Lqe6IoVeMe_xQsDplKu67Vr6FqX5XB7LDwNJTNUUL" alt=""></div>

Another misconfigured cronjob

![](https://lh5.googleusercontent.com/antMw4LoTuJXi1EmBaRfss4U-cYKH-U_yqOzmyqTMgONAum9dOdg2_WImoCqq-3Se1EWhhJfK4-n6TcD8O6bzBUQYkw1q4IxV567Pp0jfgDFbhOj0_3qXQR-PBPPt1GgFUetqD2Z)

Inspecting the file shows us that it is executing another sh file located in /var/www/cmd/

So create the file and wait for it to execute

![](https://lh4.googleusercontent.com/NZ75yJH3YqW4Ix8M3t1KVRfbFK5de_2fGCRfCcGO2UULAgwiz7-6nDADq1Leest6kcRsUy8Fach_ItJDpKbvH6rp6f1_WPg0HS9hRdrZ_pseJw77X7ITpxS-aNNpnb3upyYGModA)

Now we have a root shell and collect our flags

<div align="left"><img src="https://lh6.googleusercontent.com/PXPXXevDuBJlzdbez89686r6sMvEq6SsZyC49O_rTbKSw26zM8ATDXlkV5CgvTvhrXb9B4z4JhuQZIU03-hJhKNkT-2F2VM0Zw9ERossIMLrai0b_52a3IQ2yFxYNCjCNmUYEhbD" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/europa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.