Proving Grounds: Inclusiveness
Today we will be looking at Off Sec Proving Grounds Inclusiveness, found here:
Lets start off as usual with a rustscan:
We have three ports open, lets try anonymous login on FTP:
It works, whenever I get anonymous login I always like to try and send a file in all directories to see if I have write permissions anywhere:
We have write permissions on pub. Lets check out port 80 and see if there is a way to call back to pub.
Lets make a useragent of GoogleBot in Firefox…
To do this we need to go to about:config, put in the information below, click on string and put in GoogleBot
After a refresh we see the following:
Lets try LFI:
Easy day, lets call to /var/ftp/pub and see if we can pull that test.txt:
Reverse shell time:
Lets try to get to root:
SUID bits show the following:
whoami is not a full path, and we are using printf. Lets try and do a printf tom and send it to the file within a file named whoami within the /tmp directory:
And we are root. Hopefully you learned something new within in this box and I look forward to doing some more, you all have a good one.