Shenron: 1 Vulnhub Writeup

Difficulty: Easy/Medium

NMAP:

Default port 22 and 80 let’s enumerate with gobuster you will find /test/password and we got the user and password for the website, enumerate more with gobuster and you will find /joomla/administrator

Insert the credentials

Navigate on “templates”

And type on “Protonstar”

Go in index.php

And now we can upload our reverse shell. In you terminal type: locate php-reverse-shell.php and copy it in you folder

Now put in, and instert your ip and your port and listen with netcat! Click on save.

Now click on Template review and we are in!!!

Now enumerate more in www-data! Navigate in /var/www/html/joomla and there is a file called “configuration.php” , this file contain Mysql credential, but if you try to enter in Mysql there is a Rabbit hole!

This are the simple credential for user jenny, so enter in jenny!

HORIZONTAL PRIVILEGE ESCALATION:

Now we are in jenny and we notice that sudo -l , shenron have privilege

Now create our RSA key

Copy out key and put in /tmp of jenny’s shell.

Now we can cp our RSA in shenron .ssh folder, let’s try!

Nice , now we can login with shenron, so in our shell type:

Now type: find / -type -iname “password.txt” 2>/dev/null and you will find the password for shenron and type sudo -l , you will find /usr/bin/apt

VERTICAL PRIVILEGE ESCALATION:

And! we are ROOT!

I hope this is usefull!

-0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |