To begin, we need to gather information about the target machine. Using the nmap command, we can perform an initial scan to identify open ports and services:
sudo -l We can leverage this configuration to gain root access:
<!-- TODO: move to prod env --> This hint suggests that the website might be running in a non-production environment. We can try to access the /admin directory, which often contains administrative interfaces: hack fish.io
http://10.10.10.15 The webpage appears to be a simple website with a " Contact Us" form. However, upon inspecting the page source, we notice a peculiar comment:
sudo -u fish /bin/bash Switching to the fish user, we find that the user's home directory contains a config file with sensitive information: To begin, we need to gather information about
We create a PHP reverse shell using a tool like msfvenom :
Next, we visit the HTTP service running on port 80: However, upon inspecting the page source, we notice
su root