We create a PHP reverse shell using a tool like msfvenom :
http://10.10.10.15 The webpage appears to be a simple website with a " Contact Us" form. However, upon inspecting the page source, we notice a peculiar comment:
sudo -l We can leverage this configuration to gain root access:
<!-- TODO: move to prod env --> This hint suggests that the website might be running in a non-production environment. We can try to access the /admin directory, which often contains administrative interfaces: hack fish.io
sudo -u fish /bin/bash Switching to the fish user, we find that the user's home directory contains a config file with sensitive information:
su root
After exploring the file system, we discover that the sudo command has been configured to allow the fish user to run any command without a password: We create a PHP reverse shell using a
http://10.10.10.15/admin Indeed, we find a simple login form. After attempting some common credentials, we manage to log in using the username admin and password password123 .
nmap -sV -p- 10.10.10.15 The scan reveals that ports 22 (SSH), 80 (HTTP), and 8080 (HTTP) are open. We can now focus on exploring these services further.
Next, we visit the HTTP service running on port 80: After attempting some common credentials, we manage to
http://10.10.10.15/uploads/shell.php A meterpreter shell opens, allowing us to navigate the file system and escalate privileges.
cat ~fish/config The file contains a password for the root user. We can now switch to the root user and gain full access to the system:
You're interested in writing about Hack The Box's Fish.io, I presume?
Är du kund hos oss och behöver hjälp med en produkt du köpt? Vi erbjuder support i hela 5 år efter ditt inköp hos oss.
Förutom information på denna sida kan du självklart nå oss via telefon och mail. Våra öppettider hittar du här >>
Välkommen att kontakta oss:
Telefon 08-602 16 66