Buy Me A Coffee


->Forwardslash




Run Nmap scan against the IP





Go to the Website , We Can see the site is redirecting to forwardslash.htb and the site is not loaded





Add forwardslash.htb in the /etc/hosts





Now Again Go to the website we can see the site is loaded





Then i search for directories,but could't find anything so i enumerated subdomains and i found 1 subdomain





Then i Added Subdomain to the /etc/hosts file





Now Searching for Subdomains directories , I got '/dev' folder and
i tried to enumerate sub directories in /dev folder but could't found anything





Go to the '/dev' folder the access is denied





Go to the subdomain ,We can see the Login page with SignUp





SignUp with Creadentials , And Login





You can see an option for Change Profile Picture , Go to the link





You Can see it is disabled and can't do anything





Go to inspect page and remove the disabled option from form tag





You can see the modified form tag , Now the submit button is visible and you can send the request





Now open burp and capture the request





By Forwarding the request it showed up error , so i searched for php filter for LFI and i found this





Now i Added this before the post parameter and i got Base64 encoded string





I decoded the string and i got the /etc/password ,From this we can identify that there are 2 users. 1 is chiv and anotherone is pain





After many enumeration i didn't get much to details, i remember the folder i got early and looked into it and i got Base64 encrypted string





I decoded it and i got chiv password





Using the creadentials i logged into chiv shell





Now Let's Look into the SUID Files , We Can see a file which is owned by pain user





And We can see the accessible file in '/var/backups/' and the config.php.bak is intresting





I run the backup and i got the numbers near ERROR field are changing frequently





Then i checked the config.php.bak file in backup folder,it's permission is denied





I created a bash script to make symbolic link to the file with the number that we are getting with error





After Running the script we got the password for pain





Login to pain with the creadentials we go and read user.txt





Next step is to escalate the priviliage to root, we can see 2 files in encryptorinator folder which is in pain directory





Download the files and check what is happening in the file





Then after some time i think it may giving message to me so i modified the script with if the below code





When i run, I got the directory path and a password





Checking the sudo priviliage in which commands





using cryptsetup to decrypt it and i entered the password that i got with the directory path





And mounted it and ,i got id_rsa file and logged in with root





Got root