Open in app

Sign in

Write

Sign in

Dev box -Walkthrough

Cursemagic
5 min readDec 17, 2023

--

Hi guys, this is the second day and second box (2D-2B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.

Wish me luck!

So, today I would like to work on Dev machine. Let’s get started!

################################################################— — — — — — — — — Please read to the end! Thank you!— — — — — — — — —
###############################################################

The box

Now we shall start the fun!

Enumeration

As usual, launch Nmap! Using -oN is a good habit (In my opinion) to save the results up to prevent missing out information later on.

nmap -p- -A -T4 -sV <Victim_IP> -oN nmap.txt

80 — HTTP

Once we go to the IP, we will see the below:

8080 — HTTP

We can find this page once we go to 8080 and this phpinfo looks interesting!

Running Gobuster

On port 80.

/src/Site

/app

/app/config

Some .yml filess looks JUICY. And I found possible password in the config.yml file.

/app/databse. Looks good but it is empty file.

On port 8080.

/dev. There is a ADMIN, lets see.

Mehhh…

It looks like we ahve nothing here.

But we can try register as a member, maybe we could use it in the future.

Maybe Mount?

We can check to display the list of shared file systems on a remote NFS (Network File System) server.

showmount -e <Victim_IP>

Lets try to get it on our machine. And I created a temp folder for this mount which is in /tmp/dev. Then, run the following:

sudo mount -t nfs <Victim_IP>:/srv/nfs /tmp/dev/

Note: Please remember to run as sudo.

We can see we have a zip file there.

Using zip2john, we can get a hash from it.

Which we can use john to crack it after we save the hash into a new text file.

john — format=pkzip — wordlist=<Wordlist_Path> <hash.txt_Path>

NOICE! Now, we unlock the zip file to see what’s inside!

todo.txt

id_rsa

Awesome, with id_rsa, we can try to ssh to the machine!

Trying to Connect

I tried to use the username found on the todo.txt and the cracked password from save.zip, but it looks like we got wrong. I think we might miss something.

After another long search and searching for hints for this box (still a learning newbie), it looks like I missed a vulnerability that we can use to check the username. Which lead us to BoltWire 6.03 — Local File Inclusion.

Link: https://www.exploit-db.com/exploits/48411

We will need to go back to our member’s page and add the following to the url.

?p=action.search&action=../../../../../../../etc/passwd

To:

<Victim_IP>:8080/dev/index.php?p=action.search&action=../../../../../../../etc/passwd

and… TA-DA!

Looks like jp is jeanpaul. We can try it on ssh.

Ah, my bad for get to changer the permission.

chmod 600 id_rsa

Then connect again. I tried “java101” at first but it failed, then i remembered we have a password from config.yml which is “I_love_java”.

It finally works! (Take me like 3hours and above?)

To the Moon!

I run sudo -l to check the privileges instantly. and we have /usr/bin/zip.

Going to GTFOBins to check if we could leverage it. Great it does have something we could use!

Running it and we get the ROOT!

Voila! Another room done!

Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.

Twitter: https://twitter.com/curse_jk

Buy me coffee:http://buymeacoffee.com/Cursemagic

Other medium write-ups: https://cursemagic.medium.com

Dev
Walkthrough
Bolt

--

--

Cursemagic
Cursemagic

Written by Cursemagic

15 Followers
1 Following

Just learning, together we are strong.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams