Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Fluxcapacitor
Fluxcapacitor - 10.10.10.69
Target Enumeration:
OS: Linux
IP: 10.10.10.69
User: b8b6d46c893d0cd00c0f0380036117bc
Root: bdc89b40eda244649072189a8438b30e
Ports / Services / Software Versions Running
80/tcp open http SuperWAF
Vulnerability Exploited:
WAF Bypass on vulnerable parameter to gain code execution
Privilege Escalation:
User can run commands encoded in base64 via the /home/themiddle/.monit
Exploiting the host:
Nmap
Software Enumeration:
Burp Request & Response:
Gives a clue as follows:
Fuzz the application for a parameter to identify the next stage of the exploit.
After a while you will find:
Send that request to the repeater to explore further
We now have command execution:
The WAF is pretty tight on what we can do so ensure you use typical evasion techniques to read files etc.
/etc/passwd
Converting our IP address to decimal allows us to request files from our server.
At the moment we are restricted to the user nobody so list the whole contents of the drive for easy viewing offline
Using curl we find that as the user nobody we can execute the following command
Open the command in burp and encode the command cat /root/root.txt in base64 and send through the repeater to get the root flag.
Send the request:
Now to get a shell on the system encode the following payload:
Send through the repeater with port 443 listening
You will have a root shell
Hack The Box last updated - 2019 - Previous
Bashed
Next - Hack The Box last updated - 2019
Canape
Last modified
3yr ago
Copy link
Outline
Fluxcapacitor - 10.10.10.69
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: