tips for onetwoseven from hackthebox
- no need to wfuzz or dirbust anything.
- sftp access is chrooted, while httpd’s is not. both services are able to create and follow symlinks.
- /etc/passwd, /var/www/html/signup.php are quite interesting.
- if you check creds generation algo, you can find out 127.0.0.1 creds. this will give you user.txt.
- check html-admin folder. there’re bruteforcable creds. so bruteforce that hash.
- quite interesting task is pivoting, since connections to admin interface are limited to localhost.
you can utilize ssh for this, however use -N flag to avoid creating shell.
- combining 5th and 6th you should be able to log in.
- upload your web shell by request to addon-download.php?/addon-upload.php. use appropriate phpsessid and produce valid header for plugin. you have some samples in addons folder.
- www-admin-data is a sudoer. thoroughly check it’s sudo capabilities and take your root. however, a lot of sysadmin work is needed.