Skip to content

Hunit 🔸

Enumeration

We have a blog at 8080

At port 1830 there is a game

In a post source code of 8080 we see

Now with feroxbuster we can fuzz

The one that works is /api/?:

[
  {
    "login": "rjackson",
    "password": "yYJcgYqszv4aGQ",
    "firstname": "Richard",
    "lastname": "Jackson",
    "description": "Editor",
    "id": 1
  },
  {
    "login": "jsanchez",
    "password": "d52cQ1BzyNQycg",
    "firstname": "Jennifer",
    "lastname": "Sanchez",
    "description": "Editor",
    "id": 3
  },
  {
    "login": "dademola",
    "password": "ExplainSlowQuest110",
    "firstname": "Derik",
    "lastname": "Ademola",
    "description": "Admin",
    "id": 6
  },
  {
    "login": "jwinters",
    "password": "KTuGcSW6Zxwd0Q",
    "firstname": "Julie",
    "lastname": "Winters",
    "description": "Editor",
    "id": 7
  },
  {
    "login": "jvargas",
    "password": "OuQ96hcgiM5o9w",
    "firstname": "James",
    "lastname": "Vargas",
    "description": "Editor",
    "id": 10
  }
]

Initial Access

SSH with the admin from before and

Get the flag

Privilege Escalation

Transfer linpeas and found

We can pivot to user git using the private key but we dont have commands

With the private key we can execute git commands like clone the server repo

We can put a command in backups.sh that will be executed every 3 minutes.

Wait and check /bin/bash

Post Exploitation

Get the flag