tips for onetwoseven from hackthebox

  1. no need to wfuzz or dirbust anything.
  2. sftp access is chrooted, while httpd’s is not. both services are able to create and follow symlinks.
  3. /etc/passwd, /var/www/html/signup.php are quite interesting.
  4. if you check creds generation algo, you can find out creds. this will give you user.txt.
  5. check html-admin folder. there’re bruteforcable creds. so bruteforce that hash.
  6. quite interesting task is pivoting, since connections to admin interface are limited to localhost.
    you can utilize ssh for this, however use -N flag to avoid creating shell.
  7. combining 5th and 6th you should be able to log in.
  8. upload your web shell by request to addon-download.php?/addon-upload.php. use appropriate phpsessid and produce valid header for plugin. you have some samples in addons folder.
  9. www-admin-data is a sudoer. thoroughly check it’s sudo capabilities and take your root. however, a lot of sysadmin work is needed.

Leave a reply