1.How many services are running under port 1000?
ANS:- 2
2.What is running on the higher port?
ANS:- SSH
3.What's the CVE you're using against the application?
First, we need to enumerate the target website. We can use Dirsearch for this, and specify the URL with the '-u' flag.
After scanning, we found the '/simple' endpoint, which indicates the presence of a website. We also found a CMS service application at the bottom of the page, and its version was identified as 2.2.8.
We searched for this version on ExploitDB and found an SQL injection exploit.
To download the exploit, we can use 'searchsploit -m', which allows us to download exploits using the command line interface.
ANS:- CVE-2019-9053
4. To what kind of vulnerability is the application vulnerable?
ANS:- Sqli
5. What's the password?
ANS:- secret
6. Where can you login with the details obtained?
ANS:- SSH
7.What's the user flag?
Okay, we successfully logged in using SSH. We can use the 'ls' command to list the files and directories on the system, and we found a file named 'user.txt'
ANS:- G00d j0b, keep up!
8. Is there any other user in the home directory? What's its name?
ANS:- sunbath
9. What can you leverage to spawn a privileged shell?
When we ran 'sudo -l', we found that we have permission to run '/usr/bin/vim' with root privileges
ANS:- VIM
10.What's the root flag?
To escalate our privileges, we used GTFOBins to find a way to take advantage of our 'vim' permissions. We copied the path '/usr/bin/vim' and searched for it on GTFOBins, which gave us the command 'sudo vim -c ':!/bin/sh''. By running this command, we were able to gain a root shell.
ANS:- W3ll d0n3. You made it!