Shenron: 1 Vulnhub Writeup

Difficulty: Easy/Medium

NMAP:

Default port 22 and 80 let’s enumerate with gobuster you will find /test/password and we got the user and password for the website, enumerate more with gobuster and you will find /joomla/administrator

Insert the credentials

Navigate on “templates”

And type on “Protonstar”

Go in index.php

And now we can upload our reverse shell. In you terminal type: locate php-reverse-shell.php and copy it in you folder

Now put in, and instert your ip and your port and listen with netcat! Click on save.

Now click on Template review and we are in!!!

Now enumerate more in www-data! Navigate in /var/www/html/joomla and there is a file called “configuration.php” , this file contain Mysql credential, but if you try to enter in Mysql there is a Rabbit hole!

This are the simple credential for user jenny, so enter in jenny!

HORIZONTAL PRIVILEGE ESCALATION:

Now we are in jenny and we notice that sudo -l , shenron have privilege

Now create our RSA key

Copy out key and put in /tmp of jenny’s shell.

Now we can cp our RSA in shenron .ssh folder, let’s try!

Nice , now we can login with shenron, so in our shell type:

Now type: find / -type -iname “password.txt” 2>/dev/null and you will find the password for shenron and type sudo -l , you will find /usr/bin/apt

VERTICAL PRIVILEGE ESCALATION:

And! we are ROOT!

I hope this is usefull!

-0xJin

--

--

--

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cloud Deployment Models : Technically understand how

All About The SRE Model and Its Business Implications

C Programming (Pointers)

What's New In AWS: AWS Trends 2021

The long-awaited date of TGE is ready to come out

One Kafka cluster across 2 DCs or 2 synchronized

Understanding Twelve-Factor Methodology

Replace your EC2 Bastion with an AWS NLB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xJin

0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

RootMe Walkthrough — THM

Luke

Pentesting Android Applications-Part 2 -Static Analysis

0day Try Hack Me Walkthrough