I opened netdiscover to do a network scan and my target IP was 192.168.0.151
After that I had to to a port scan using Nmap and discovered that port 80 was open
NOTE: Another alternative is Nmap -sV -A -p- 192.168.0.151
I copy-pasted the IP on the URL and this was the website so the next thing I had to navigate on the navigation bar (home, news, about us, contacts us and logins) to see what I could find
This was he news page where I found out why the website was under reconstructs, basically there servers were hacked so they had to take security measures
Under contact us I found the email address and phone numbers of internal employees which is one of the worst practices, but it’s an advantage to us where I could use the email for login purpose, and the best part is that we now know the administrators user name which is admin and also we know who the admin is which is bob.
The next thing was to start inspecting element of the web page and see what we could find. In /login.html I found a piece of comment that bob left for the other it guys.
After that I checked new.html and found a base 64 encoded string which I had to decode
After decoding the message, I found out that bob left a message where he was complaining that someone had created a file called password.html.
The next thing I had to check what the page password.html contained, but before doing that I had to open burp suite to intercept and examine the traffics. After opening burp suit I found the normal navigation bar
Next I had to spider the page and I managed to get interesting hidden folders one of them being a shell and another one being a password folder,
After opening the password.html page I found another message that bob left the team on why they were hacked in the first place.
who made this file at least get a hash of your password to display, hackers
can’t do anything with a hash, this is probably why we had a security breach in
the first place. Come on people this is basic 101 security! I have moved the
file off the server. Don’t make me have to clean up the mess every time someone
does something as stupid as this. We will have a meeting about this and other
stuff I found on the server. >:(
The worst advice that bob gave the team was to leave the password hash because he believes that hackers can’t do anything with the hashes
The next thing was I had to check the other hidden folder which was lat_memo.html and bob left another message for the IT guys about the shell.
sent at GMT+10:00 2:37:42 by User: Bob
Hey guys IT here don’t forget to check your emails regarding the recent security breach. There is a web shell running on the server with no protection, but it should be safe as I have ported over the filter from the old windows server to our new linux one. Your email will have the link to the shell.
Next, I had run the shell subfolder and it opened a command execution page
The next step was I had to examine the source code of dev_shell.php page and see what I could find, and I found another note where bob told the other employees
Next I went back to dev.shell.php page and I had typed in the command dir on the command box and a list of directories popped up. Next I had to examine the directory dev_shell.php.bak where it downloaded a shell from the website.
After downloading the script, I opened it and saw the command that can’t be executed which include pwd, netcat, ssh, wget, ping, traceroute, cat and nc
After getting to know the commands which cant be used I went back to the shell and typed in More /home to see if there was a home directory and indeed there was one
After changing the directory to home using the command Dir /home I saw a list of user names
After that, I had to get into the directory Elliot and see what I could find by typing the command Dir /home/Elliot where I found a file called theadminisdumb.txt
Then I typed in the command More /home/Elliot/theadminisdumb.txt to read the txt file which stated tha
“:::::::::::::: /home/elliot/theadminisdumb.txt :::::::::::::: The admin is dumb, In fact everyone in the IT dept is pretty bad but I can’t blame all of them the newbies Sebastian and James are quite new to managing a server so I can forgive them for that password file they made on the server. But the admin now he’s quite something. Thinks he knows more than everyone else in the dept, he always yells at Sebastian and James now they do some dumb stuff but their new and this is just a high-school server who cares, the only people that would try and hack into this are script kiddies. His wallpaper policy also is redundant, why do we need custom wallpapers that don’t do anything. I have been suggesting time and time again to Bob ways we could improve the security since he “cares” about it so much but he just yells at me and says I don’t know what I’m doing. Sebastian has noticed and I gave him some tips on better securing his account, I can’t say the same for his friend James who doesn’t care and made his password: Qwerty. To be honest, James isn’t the worst bob is his stupid web shell has issues and I keep telling him what he needs to patch but he doesn’t care about what I have to say. it’s only a matter of time before it’s broken into so because of this I have changed my password to the admin is dumb I hope bob is fired after the future second breach because of his incompetence. I almost want to fix it myself but at the same time it doesn’t affect me if they get breached, I get paid, he gets fired it’s a good time.”
Elliote mentioned the password of james which became a plus for me.
After knowing that james uses a username of jc and password of Qwerty, I connected to the server using the ssh port 25468 and logged in as james
Then I had to list all the directories and I found the final flag which read “hey n there flag.txt”