Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Europa - 10.10.10.22
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Privilege Escalation:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Europa

Europa - 10.10.10.22

Target Enumeration:

OS: Linux

IP: 10.10.10.22

User: 2f8d40cc05295154a9c3452c19ddc221

Root: 7f19438b27578e4fcc8bef3a029af5a5

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))

Vulnerability Exploited:

SQLi Authentication bypass

Privilege Escalation:

Misconfigured cronjob

Exploiting the host:

Nmap

SSL certificate gives us a new domain so update hosts file:

Visiting the site gives us a login page.

Capture a login with burp and send it to the intruder to be fuzzed for sqli

Can bypass the login with an sqli payload:

Request this payload in the browser and we are logged in

Under the tools tab you can generate a VPN config file so test it for command execution.

Eventually we found it is vulnerable using the following command:

Generate a php reverse shell with msfvenom and host it in the webroot

Generate a reverse shell with nc and URL encode it.

Shell spawned on 443

Another misconfigured cronjob

Inspecting the file shows us that it is executing another sh file located in /var/www/cmd/

So create the file and wait for it to execute

Now we have a root shell and collect our flags

PreviousJokerNextHaircut

Last updated 6 years ago

Successfully hitting our server: