HackersVsHackers

Deep Enumeration - pkill Privilege Escalation

Initial Access

  • Only two ports were open - HTTP and SSH

  • Bruteforcing the Directory on port 80 gives us -> /upload.php , /cvs,/icons,/dist

  • The upload.php has a filtering code in the backend

  • When we try to upload a .php file, it restricts us with the !strpos function which filters the file name should end with .pdf

  • Even when we try to upload a shell using .pdf extension, it doesn't work -> Enumeration Required !

  • Reading the php filtering code, we get to know all the file uploaded will be stored in /cvs directory

  • Bruteforcing that directory with extensions like .pdf.php,.php.pdf gives us -> /shell.pdf.php

  • Visiting that, returns a page with boom !

  • Appending ?cmd= to that url gives us a RCE

  • Navigating through home directory gives us the user flag

Privilege Escalation

  • Diggin more into the home directory gives us the SSH credentials

  • The cronjob tells us that the pkill program runs as root

  • Modify the pkill file and set back a listener to get the root shell

NextVulnnet - The End Game

Last updated