hackthebox apocalyst walkthrough

Spread the love

Starting with masscan

Two ports are open, web and ssh

Browsing web, we see WordPress but site does not look good.

hackthebox – apocalyst

To view it correctly we need to put following in our /etc/hosts file

Then browsing the site.

hackthebox

We can go to http://10.10.10.46/?author=1 to view the user in WordPress. This gives us user falaraki

We then use gobuster to find other pages but it keeps on giving 301 redirect which gives us following picture.

hackthebox

We use cewl tool to generate list of words from the main page.

Used the output and again use gobuster.

Here,
-f is to append / at the end of each word
-l to list the size

We find a folder with different size ie 175.

Going to the url http://apocalyst.htb/Rightiousness/ reveals same image.

hackthebox

But, this time if we view the source of the page, we see following:

Notice <!-- needle -->

We use tool called steghide to see if there is any hidden data.

Note: There is no password, just hit ENTER in keyboard for password.

We got file called list.txt. Now, using it to find the WordPress login for user falaraki user

We get the password to be Transclisiation

We can login to dashboard.

hackthebox

Go to Appearance –> Editor and replace 404.php with the reverse shell found in /usr/share/webshells/php/php-reverse-shell.php , edit following

and listen for reverse shell

Then, go to http://apocalyst.htb/wp-content/themes/twentyseventeen/404.php

You will get the shell

Go to the user home directory.

We got user password. We can login with this password from ssh.

Using Linuxenum we see that /etc/passwd is world writable

We can add another user as root using openssl tool.

Here, the user we are adding is hacker and the password is also hacker

Add above output as following and append to /etc/passwd file.

Then


Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *