Olympus Writeup

 


Olympus link


Enumeration



Starting off with a nmap scan we can see that we have two ports open, 22(ssh) and 80(http), let's start by taking a look at the web server first.


Looks like we instantly get redirected to olympus.thm so we need to make sure we add this to our /etc/hosts file. Once we get to the website we can see that there is a message letting us know that we can still visit the old version of the website on this domain, so lets run gobuster and see if we can find a directory that will take us there.


Taking a look at the gobuster scan we can see that we have a /~webmaster/ directory so we should go check that out, we can also see that the site is running a mysql db based on the /phpmyadmin/




Looks like we have a pretty basic CMS system, there's some interesting details on this page other than the Admin and Register links, we should probably go look for that wordlist quickly, we can also run another gobuster scan on this directory as well to see if we find anything else interesting.



Taking a quick look around the website reveals that most of the links are dead and there isn't a whole lot else to look at, there is a login field and a search field, the login field seems like it is injectable with a sql authentication bypass attack but doesn't actually redirect anywhere as far as I can tell, it just gets stuck on login.php.




Taking a look at the search field we can see that it is susceptible to sqli, entering a single quote into the field results in the above error and looking at the request details we can see what the post request takes in when we run a search (I've used a 1 in the screenshot just to make it a little easier to see)


I won't go through each and every one of the above images but I just used sqlmap to enumerate the database utilizing the basic sql injection we found, as we can see we get our first flag, we can also find some users and passwords with an email that goes back to chat.olympus.thm which we definitely will want to add to our /etc/hosts file and take a look at, we will also need to crack the password hashes for the users.
We can also see in the chats table there is information about how the system automatically changes file names, this is helpful to know incase we ever need to upload a file to gain a reverse shell.


Taking a look at the chat subdomain we can see that there is a login form, lets go try crack those hashes and see if we can get access with a user.


Running the passwords through john we managed to crack one of them, so lets see what happens when we log in with this account.


Looks like we're in, now we need to find out where these file uploads go.



Running gobuster we can see the uploads directory, navigating their we don't see anything though.


We do receive this message when trying to view the password file that we could see the changed name in the database chat logs, this means if we upload a file, we can at least check the database to see what the file has been changed to.

Checking out the upload.php file we can see that we are told what files we can upload, hopefully we can bypass this filter so that we can upload a reverse shell.


Foothold



Seems like that worked, now all we need to do is open the php file and catch the shell with nc.


And just like that we have a shell, now to upload socat so we can get a stable shell.


Now we can start enumerating the machine and try get to root.


Starting off by navigating to zeus' home directory we can see that we have our user flag which is readable so lets grab that, we also have a text file in there as well.


Nothing overly interesting in here, let's upload linpeas and see if that helps us find anything interesting.


Taking a look at the linpeas output we can see that it flags an unknown binary, let's load it and see what happens seeing it looks like we can run it.


Interesting, looks like we might be able to copy files using this utility, let's see if zeus has an id_rsa file in his .ssh directory and if we can copy it out using this.


Success! Lets head over to the tmp directory and copy this to our machine and see if we can ssh in.



And just like that we're in, now lets see if we can get root.

PrivEsc



Whilst enumerating earlier I stumbled across a directory that only zeus could access, taking a look at this directory it appears there's a reverse shell, lets try navigating to the directory and see what happens.


Success! Now we just need the password from the php file and we should be able to get a reverse shell as root. A note to remember with this one, the directory is in the html directory rather than one of the directories labeled with the domain or subdomain so make sure you use the IP when trying to access the directory.



Following the instructions provided by the shell we easily grab a shell, now to get our root flag and the bonus flag.

Comments

Post a Comment

Popular posts from this blog

Biteme Writeup

Image
  Biteme link Enumeration Firing up nmap we can see that we have 2 ports open, 22(ssh) and 80(http), let's take a quick look at the webserver first and see what's running on it. Just the default apache page, lets run gobuster and see if we can find any directories. Looking at gobuster we only seem to have the one directory, /console/  so let's take a look at that, we may need to possibly run a bigger wordlist later if we can't net anything from this. Interesting, we have a login page with a captcha, taking a quick look at the page source doesn't reveal any hidden details so let's take a look at what happens and what data is submitted when we attempt to login. Interesting, it seems there was a message logged to the console when we attempted to sign in stating that php file syntax highlighting has been turned on. We can also see that when we submit a sign in attempt there is an extra variable of clicked = yes. Lets run a quick gobuster scan on the console director...
Read more

0day Writeup

Image
  0day link Enumeration Running an initial nmap scan we can see that we have port 80 and 22 open, so lets start by taking a look at the website to see what we have. Nothing exciting on the main page and looking into the page source we don't have much so lets run gobuster and see what that brings us back. Gobuster returns a whole bunch of interesting directories, we'll start by looking at robots.txt just incase there's anything extra listed in their that gobuster didn't find and then we'll slowly start working through each of the folders that returned a 301 redirect. Nothing really interesting on any of the directories, mainly looks to be a bunch of rabbit holes, the /backup/  directory did have a private rsa key in it though which we'll copy and save for later just incase, but we don't have a known user that it could be associated with so it's not much use. Next step would be to look for exploits, usually with /cgi-bin/  exposed we'd be hoping for an...
Read more