Use the command xxd to reverse the hex: xxd -r password_backup > password Go to the terminal now and check the form of the file by typing: file password_backup Go to your browser and open the IP's port 8000. To download the password_backup file, let's launch a python web server: python3 -m rver 8000 Here we can find the user.txt, but as we don't have permission, we won't be able to open.īut we also have a file named password_backup. Three important folders / files will be seen. So let's go to the directory /home / floris now. Then open the uploaded shell connection that can be found in the path below Upon launch, you will receive a reverse shell via netcat listening on port 7878. Using netcat to start a listener in your kali: nc -lnvp 7878 So grab the pentest monkey's PHP reverse shell. It was changed by some people and the box was constantly crashing. One thing to note is that the server's default files like index.php will never be changed. Now for a reverse container, we can build our own script. Go to templates > templates > pick your favorite theme If we go to the home screen and watch properly we’ll see the name "Floris" Therefore, never make this mistake and always properly list each and every bit. I stuck a little here because I tried running Hydra and wfuzz instead of looking properly at everything on the homepage and got zero results with it. We know that Joomla has a URL / administrator login pageįinding a user name was the next job. So it looks like some form of password has to be. Go to Kali and type as follows: echo -n “Q3VybGluZzIwMTgh” | base64 -d So looks like a Base64 text: “Q3VybGluZzIwMTgh”. Let's switch to secret.txt and see the contents thereof. Now you'd be able to see a filename if you have good eyes: secret.txt Referred to in the comment section in the source code edge. In this case, the Joomla version was 3.8.8. We can scan the IP with the joomscan Tool and the enabled Joomla version will be shown. the IP in our browser, and we'll find a Joomla application website. If we go to google and look for the above-mentioned service version numbers, we're not going to find anything exciting going forward. Port 22 and port 80 were available, as we can see from the tests. We're going to start by doing a nmap scan with our recon. All that needed to be done was to actually look for it. Many were lost and overthought like me to get the root flag, but the solution was right in front of us. It was easier to get the user flag than to get the root flag. It was a fun box, and the box level was said to be simple. Today we're going to go through the Curling machine's walkthrough, which recently retired.
0 kommentar(er)
