🖋️
Cybersecurity Long haul
  • Road to PNPT
  • Book List
  • VirtualBox and OPNsense Setup
    • Installing OPNsense
      • VLAN Setup
        • Configuring OPNsense
          • Interface Configuration
          • Firewall Rules
            • DNS Resolver
              • Import Vulnerable Machine
  • Virtual Hacking Labs
  • VBSetup
  • OSCP Machine List:
  • Vulnhub Walkthroughs
    • Kioptrix 1
    • The Planets
      • Mercury
      • Venus
      • Earth
    • DC Series
      • DC-1
      • DC-2
      • DC-3
      • DC-4
  • HackMyVM
    • Easy
      • Gift
      • Pwned
      • Connection
      • BaseME
      • Hommie
Powered by GitBook
On this page

Was this helpful?

  1. HackMyVM
  2. Easy

Pwned

Pwned is a organization hacked by an attacker. Find the vulnarablity in attacker way.

PreviousGiftNextConnection

Last updated 1 year ago

Was this helpful?

nmap scan results:

ftp anonymous login isn't allowed. So lets go to port 80.

hmm okay. I ran dirb to see what directories we get.

robots.txt shows /nothing directory and that leads us to...well nothing.

Wouldn't hurt to run gobuster with a bigger wordlist.

I went to /hidden_text and found "secret.dic".

My thoughts are to run this list with gobuster and see what comes back.

This shows that pwned.vuln is an active link so lets go to it.

Interesting. Lets have a look at the source.

Now we have credentials and can login via ssh.

Privilege escalation:

We have a share directory with note.txt and id_rsa.

Lets grab that id_rsa and ssh with ariana.

sudo -l shows that selena can run /home/messenger.sh without a password.

Looking at the code it looks like whatever message we send gets executed. So maybe we can get a reverse shell as root.

We can! So maybe we can do the same but with root?

Nope not that easy. if we run id selena is in the docker group. Lets see what gtfo has on docker.

Bingo!! That was fun.

Logodocker | GTFOBins
Ports 21,22 and 80 are open