# Inception

## Inception - 10.10.10.67

### Target Enumeration:

IP: 10.10.10.67

User: 4a8bc2d686d093f3f8ad1b37b191303c

Root: 8d1e2e91de427a6fc1a9dc309d563359

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh4.googleusercontent.com/S3FoYMAbq6Rtg-TR6XEjZRURlpqoIj1pvsPFb-4JP_xN71sJvfzR1_K1TDFed7TDB2EJFR391zPnP6MMtF2o8TkscDo4tfK-wyludsQatSobo8uVpAK_Fds07bjswGaZeD2BabVU" alt=""></div>

Squid is open so may need that later

Dirb brought back nothing useful

Very long page source on default website and at the bottom we find :

<div align="left"><img src="https://lh6.googleusercontent.com/iof8nuHkfQDDcZBbBdfZX_1WeGSybwcPevmL0FhNhVxKJmmoyJwIgQvXewQubMnCHSEIqOOrLPUnp8fPPAfk4W8Pff4xtbOZlIhr1Ndh-mNVY44flrAb5X_CNTPPqlmaoWBfZkSr" alt=""></div>

Checking the /dompdf location we find a version and an applicable exploit

![](https://lh3.googleusercontent.com/tCqPViTmAI8Op6Iy_uQwFsMJv76i7kWfiBezW9Xf-jP8eEfsdoG0L7nPqufYOa7WVsy6T9w-_up78W5Hi8sjVzfS5OMAdKmOQ_M6rfnPfMnE8xxZNEdGVMikGYBCYBc9s1ALUaTL)

Looks like we can read files from the filesystem:

Build the following request and request it in burp

![](https://lh4.googleusercontent.com/PZrmtD9lAnkXXLX6jqQGsG-f8YDE_TG7ln1B166WBw6SIxqMss4g3shid1-N8EgZHBdXu5Mi4Ld6Wr-pF6qbL-28HjV80koBOq4QZ2wKOp7f-xSo0yG2TC4NEWu6dcG1jxrJozL3)

Decode only the base64 string

Now we have a user and the etc passwd file.

![](https://lh3.googleusercontent.com/GsmMFS2VucpTzptyi2iluNqBbgSdHLPghRbwV51YK5zCXt6kjlvtMexEwhJ_gVHpAgnREvet4IClM_uM1BvvAph2-uGbcnHRUjk1GpiQzOYHA2xmxrt9AMkp6YKFgnVF5TXLd81z)

Search around for interesting files:

Ensure you decode the results ctrl + shift + b

<div align="left"><img src="https://lh4.googleusercontent.com/_HaHZnADWyIVtNz_N_gqZib8499ZjcyakpBLuFa4Aa0g7RZSz4_4AbV_dHaSn7JU9w99xC15pEeh3dFvT9tTNvH2p_JlwZwPZapoR8QdwAuA-ohNa2LCVU8mIoHiD0mnc7UEJOaa" alt=""></div>

Grab the webdav passwd

![](https://lh5.googleusercontent.com/eKA1mD5KVllqJXgnbxOrgpufqFZbV1U9ceAb5PFM_qA_NjBiHTrhukR3Lr3Ms-cw2oyeon_8gpb6JrTPV3WAnjCHCfAdhxal6PYwTiyDecAQKfNBbQBP6mxhFFfKQeSl2Cx3Jnyv)

Crack that with john

![](https://lh4.googleusercontent.com/X-kOp8_KE4V69qrOHWHXccMHY7V9PmG4ZBttk8GfolxGK4hYR8KOcR64B9BhLnH7ZsOayqdoMb4S53UQCZPHECFQYrRtbSv-0gXsARm2RNExn7sojsRJhbzW4grFJpPqmvaXrFGH)

Now we need to find the webdav dir so check the original file:

<div align="left"><img src="https://lh5.googleusercontent.com/xGpq2WbCGIuQUjyckWWlK0_gLR7aXJpDMiTgijM3q5mGjyaY3wOW2JoFYzicaLNQ9qc5ZHRPVbWOSaGZtF2SwXWvOu2OzdUETTagDLD2YqwrceLMf82524ZMDO8AvtS9AnZPdVWN" alt=""></div>

Now cadaver to webdav\_test\_injection

We can upload a shell but cannot access it unless we are authenticated. Try to use squid to access the file remotely which does not work, instead upload a php reverse shell and a simple backdoor just incase we cant get a shell back

![](https://lh3.googleusercontent.com/JJ4k2ed4s3CPKdCl3Rr98lAi29K8fh-xQ_1Ps2uc80l1HFf0W27DZvi7yVXpdKCLCBk0_qqi7v9QynZORuJZ2LOAoW6Q2fM66chYSEnCHF07WgUZCQIHkI981VoCacKC3lHj0Ra5)

The reverse shell does not work but the simple one does.

Now we have command execution:

![](https://lh5.googleusercontent.com/3DAWCZoJkyBjKn9tkKKsHyY163phHnqHuD-SRipHVbN8MO3cxNUinsf5FBt2dHLjUZDWFqUMrLtkgwmCuzhIprDQVM4HRZy3Zt8W9bPngK30jwcirl-tqIC6cGkQST338-j3y6d_)

Enumerating the system we see that ssh is open

![](https://lh3.googleusercontent.com/c6XMPDdZBscDRiquVe-HJ0Qxbe5cC3yvLSFsphVYtjdHlBJb8XsFVKRXAl508VngG4yrnVvCGTjbGKKh0DUeovX4dNlihYMIvuWo0seMn__vBSZY8VDwWTarPPyb2jYypFPM8oyb)

Not possible to get a shell back at this point which suggests a firewall stopping outbound connections so sent this command over to the repeater for further enumeration.

Seeing as we cannot use wget etc to upload/ download anything upload linenum via cadaver and execute with our simple php shell

![](https://lh4.googleusercontent.com/6OXdGZAZ24UnPfYGAuS42ygwPB2UlQ5Vc0NrO4cnbRR2Z6EFvD4K5WCZDbegJA0eNsC5JU8yi7yvYymLGWpvxKW633Zmm-n71XrLLgsEOEstHz-dT2iNi-kmC5K-SpEB5_G6iMDm)

Script has run

![](https://lh6.googleusercontent.com/hdGm8qYDXlP79Ksre1YRzcFJ9FwyltWcvagzuOxQChTWHCMHHWN0OIfJJypPPwUcPvabzsiLGmYeZ-gyi14J8STXfKMIfuJ4Pif0JGin0clZjR-mx10tmNeuj0fOYA37ayYGJ23V)

WP config looks interesting

![](https://lh3.googleusercontent.com/2o0ZLmLixcdORiBlJlwrSy1kPx7EucHjdW6cB568O9QBuRQFF31M38LrR89t7i5yCP-OBK4mh9lxAyDvtnNDZUPzBu6c7nIy6uK94oJ7hcNRl7z5mpDEXQ9JGOY6KXkAtk8sRMQC)

Read this with the LFI we found earlier.

![](https://lh5.googleusercontent.com/FWZiusuQdiMZkneHzewtoKxooUR7ox7Hb4sUJDcrzAEAAYGcu8x4d6Pul_9tbZX75arp793HrHwEXwwktJ9ppCeP_vXCqIaIULLlTyJAqxYPrAA6adRaAchEgKRf75s7XAlbjt46)

Now we have a mysql password but no mysql running.

VwPddNh7xMZyDQoByQL4

Port 22 is open locally so perhaps we need to access that via squid proxy:

Configure proxychains as follows:

<div align="left"><img src="https://lh4.googleusercontent.com/rd1qAdSjylQLujefn1Gh9YGuDrHYvQfDXOMEfMyb0W5nEsVVLmJjEGdM9oCPp3WdgWCBZmVLNa4LgjR2m3QJUllL7TvVpqKKrkGw6l3u9Nrg7mWUUIrFAu8xjwTBRCSowv4Goa9Q" alt=""></div>

Login with the credentials you have found

![](https://lh5.googleusercontent.com/wx6vd41KW-4lCBL9WoZL93RO6IxRXmI11D1YqpHDF1Ed23IdPJ0abId4mP2ti-Rkih9Sz1j6vz86-yHU_zPAOp5eDG8hWJAPorHQQ8PuC5JZiXlg44XsKVYwEI_GRQU1G0gnA5Zb)

Sudo su gives you root with the same password

However the root flag is hidden.

&#x20;Looking at the ip tells us we may be inside a vm

![](https://lh6.googleusercontent.com/6_BTt4SJIcCG3wNXpR2GjNFOZ-FsNZOZLqFX-1FkmmiBiAnlaHUZttUFVmPgoy345BnRdXi53PHBOMQnweNxqRvGCIvnDJKs7U_5jGnNUOBnajUdTmf5_1aYb_kxts862org3af5)

Find the gateway and scan it with Nmap which reveals tftp is open.

![](https://lh6.googleusercontent.com/nit3v0sCUc6flTf1OHmLCacocVB0RlYsIRuae_syy_qM_Ux8zbi6y4akVz_YFzqQAdCiYqcrnMqQl3aefejlK258NFCr_TG_mR6x2Ul2T5SDc5rQW9vweh6qXqOLQv0HZDD-vrB_)

Upload all of the following scripts via tftp to the gateway and wait around 5 minutes to get a proper shell on inception

![](https://lh3.googleusercontent.com/btEH-tdN2DPaRhw-UcLoj7RpmbEb5mpaHacZppDZqu82tDrR99wIRpLdot_U_lLVKMtepA2QrXD9V_EkF6UhZUgWveHGaK4VbJPVWWsSM16EJeB04Mhey_7UCEiladW_w0J_Z8He)

Script.sh

![](https://lh5.googleusercontent.com/Ku2hkBqt9ZW1jG9FpLFqOgQP6QBHUfSSWlR5LouHkpyr9eaDQ8ne1UXYGkx5T8yNzXKDZ8ZXYdzjXa1UMY7wFmzM7kiHJh4rb2tDzCK5XyAni2UjjnnOC-1asTrOdza4nGux9Ymh)

Waiting for the new crontab to run:

![](https://lh6.googleusercontent.com/jV8K5nTJNsXYdcVoCm4UwEFAulzS4b2CXNO9tO4enWjNy8Te0JdV1Pnbmxpi3PeNst9jwpLDsOfQxF6zmZmB9ec2v9mHbymnSsBzzW-PW_IjCKzmPxy7QoojckDP7-NgFP3lYsMH)

Collect your flag

![](https://lh4.googleusercontent.com/uTARjo5sTl3TRTJNbC_Od0A-9-17Qdtzbd9kSyiZl6ObWBEdQVWYHxHx7W6bJFoRWAcG24l-nCDCYQogrnrrx_tpjYtzO2DY1naIOnDEhD6MgMjAhGovZgd5CN1h6lRQJXmhKqz5)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/inception.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.