Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 61 80/tcp open http syn-ack ttl 61
The box already tells us what to do for the initial portion, we can go to the website on port 80 and look at the front page. We have the well known
agent 47 character on the front page with a login option. We’re given the following payload:
' or 1=1 -- -
This is a simple logic injection that lets us bypass the login.
We have a search field vulnerable to SQL injection, we can automate this with sqlmap:
We can save the request by right clicking and clicking “save item”. We use the request with sqlmap to automatically test this:
sudo sqlmap -r search.req --level 3 --risk 3 --dbs
We’re able to grab the passwords from the
db databases in the
users table, sqlmap can bruteforce the password for us but you could also use John:
We can SSH using these creds and grab the user flag from our home directory.
We can start by checking internal ports and seeing 10000 is open and only available locally, using SSH we can forward this to us:
ssh email@example.com -L 10000:localhost:10000
We can visit
localhost:10000 and access this site:
We can see it’s running webmin however we don’t have a login. We can try enumerate ways around this:
We can find the above banner using whatweb or manual enumeration. After finding this we can google a relevant exploit or see if metasploit has one available for us:
We run the exploit and grab root’s flag from