THM - Empline

THM - Empline

Hi everyone,

today we see , Empline room Created by zyeinn!

We start

Let's open the web page and take a look:

We take a look at the code but nothing interesting, no input, no DB.

It's time to check the open ports:

Now we look for directories and subdomains.

Nothing interesting the usual folders, nothing interesting the usual folders.

We are looking for subdomains:

Word 914, exclude 914 and try again

We find the subdomain job, check the folders and visit the site:

I try sqli, but nothing, in the source code I find some credentials I try them but they don't work.

Now, Fuzz directory:

There are many interesting folders.
uploads, carrers, attachments, let's visit them!

see open positions

Mobile Dev, let's see if there are any inputs to test.

we apply to the position!

I try to load a reverse shell, made using reverse shell 7sec.com, and since there is an uploads folder I check if it uploads the file.

In the uploads folder I find another directory and I visit it but there are no files in it so I assume it doesn't work uploading .php files.

I turn on Burp!

I intercept the reverse shell upload, change the Content-Type and add GIF87a before the code and with repeater send.

It works! I turn on pwncat and launch php.

Great, we enumerate via pwncat:

and user:

Ok interesting user, but nothing more.
Let's access the shell and check if the cms has configuration files.

I find the config.php file, where I get mysql credentials. Let's check:

We access mysql and see if we find interesting information in the DB.

Check

I find 3 encrypted passwords, we use crackstation.net:

Now we have 1 user and a password, the user corresponds to the one enumerated by pwncat, on the VM port 22 is open let's try to access!

Ok we're in, looking for the first FLAG:

Super, now let's upload linPEAS and search!

I found something, we delve into book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities.
And check again.

Okay Ruby.
I can edit files?
Think think and think!
Ruby, file system commands.. rubyreferences.github.io/rubyref/builtin/system-cli/filesystem.html

Chown!

I write a .rb file and change the owner of the /etc/passwd file I modify it and insert a root user, let's try!

it works!

Create a password and edit the passwd file

Save and log in with the new user!

Exceptional! i search and read FLAG root.

Thanks TryHackMe!

Related posts