Light Cycle

10.10.191.140

nmap

80	http
65000	http

gobuster in port 65000
/uploads.php
/grid

bypassing the uploads.php page with php reverse shell

to remove client side filter we intercept the request by removing the javascript in intercept client request option,
then drop the js filter page

know to bypass server side filter we add .jpeg.php entention
then the php reverse shell is uploaded

run the reverse shell in /grid

got username and password in /var/www/TheGrid/includes/dbauth.php
tron : IFightForTheUsers

mysql -utron -p
IFifgtForTheUsers

in mysql found username:[redacted]
flynn : edc621628f6d19a13a00fd683f5e3ff7

cracking hash-password =[redacted] [redacted]

switch to fynn
su - flynn

user is in lxd group
we can exploit this to get root { reference Hacking Article }

Task

  • SCan the machine. What ports are open? 
    80, 65000
  • What’s the title of the hidden website? It’s worthwhile looking recursively at all websites on the box for this step. 
    Light Cycle
  • What is the name of the hidden php page? 
    uploads.php
  • What is the name of the hidden directory where file uploads are saved? 
    grid
  • Bypass the filters. Upload and execute a reverse shell. 
    no answer needed
  • What is the value of the web.txt flag? 
    [redacted challenge flag]
  • Upgrade and stabilize your shell. 
    python3 -c 'import pty;pty.spawn("/bin/bash")'
  • Review the configuration files for the webserver to find some useful loot in the form of credentials. What credentials do you find? username:[redacted] 
    [redacted sensitive answer]
  • Access the database and discover the encrypted credentials. What is the name of the database you find these in? 
    [redacted sensitive answer]
  • Crack the password. What is it? 
    [redacted sensitive answer]
  • Use su to login to the newly discovered user by exploiting password reuse. 
    [redacted sensitive answer]
  • What is the value of the user.txt flag? 
    [redacted challenge flag]
  • Check the user’s groups. Which group can be leveraged to escalate privileges? 
    lxd
  • Abuse this group to escalate privileges to root. 
    refer Hacking Article lxd privileage escalation
  • What is the value of the root.txt flag? 
    [redacted challenge flag]