Archangel | TryHackMe Writeup
Archangel is an easy Linux-based machine in TryHackMe
Start with nmap scan found 2 open ports.
port 22,80 are open.
I opened the website.
As mentioned in the picture, you can see the hostname.
so lets add this to our /etc/hosts
browse the hostname, you can see under development.
I checked robots.txt and got a file
I opened that file in the browser and a button is there.
I clicked that button, you can see the webpage is reading internal files. So I checked with LFI payloads
My first payload was not successful.
My second payload was success
i opened that log file in browser and got success
For my next step of exploitation, I want to add this PHP code to the log file.
By that, whenever I read the log file, this PHP code can also be executed.
Remember: this is a log file, if you make any mistake/damage it won’t work anymore, be careful
now i tried to read the log file and tried php code for exploitation, and i got success
For getting shell i used this command
I got reverse shell using the burpsuite
Then i uploaded linpeas from my local machine, and i run it
The below-mentioned files show writable files owned by me, the /opt/helloworld.sh file is weird.
i added reverse shell code to that file and wait for 1 min, i got shell back and can read user flag
for further checking i uploaded linpeas and i run it
In the Below image , i have the priviliage to executable backup file
i downloaded and checked for strings, as you can see ‘cp’ command is executing
I made a cp file in ‘/tmp/’ and made it executable. then i added /tmp/ path in PATH variable,
so when we execute that backup file, the first time it checks for the cp command in ‘/tmp/’.
By this, I added reverse shell command to the cp file and got shell back, and now I am root