Vmdak 🔸

Enumeration

Ftp has anonymous access with a jenkins file

Web server shows a prison manag system

Initial Access

Searching for an exploit we have an sql injection

Inside there is a user with a password

malcom:RonnyCache001

And the admin credentials

Now we can upload a php reverse shell using the avatar uploader bypassing the jpg extension like .jpg.php

Privilege Escalation

We see that there is a user we can pivot to: vmdak

Let's try the password from malcom

Get the flag

We can connect via ssh with vmdak and stabilize the shell with python to have a full interactive shell

Prison web has sql credentials

sqlCr3ds3xp0seD

We have jenkins at 8080 and mysql at 3306

In the 3306 db we have malcon data

For jenkins, transfer chisel to the target and make a port forward

Jekins is protected with passwod

Searching jenkins exploits we find a LFI

Run the script with the path for jenkins

Now we can enter

Create a job that puts suid bit to /bin/bash

Build

Let's check

So

Post Exploitation

Get the flag