Skip to content

Hunit 🔸

Enumeration

We have a blog at port 8080.

At port 1830 there is a game.

In a post source code of port 8080 we see...

Now with feroxbuster we can fuzz.

The one that works is /api/?:

[
  {
    "login": "rjackson",
    "password": "yYJcgYqszv4aGQ",
    "firstname": "Richard",
    "lastname": "Jackson",
    "description": "Editor",
    "id": 1
  },
  {
    "login": "jsanchez",
    "password": "d52cQ1BzyNQycg",
    "firstname": "Jennifer",
    "lastname": "Sanchez",
    "description": "Editor",
    "id": 3
  },
  {
    "login": "dademola",
    "password": "ExplainSlowQuest110",
    "firstname": "Derik",
    "lastname": "Ademola",
    "description": "Admin",
    "id": 6
  },
  {
    "login": "jwinters",
    "password": "KTuGcSW6Zxwd0Q",
    "firstname": "Julie",
    "lastname": "Winters",
    "description": "Editor",
    "id": 7
  },
  {
    "login": "jvargas",
    "password": "OuQ96hcgiM5o9w",
    "firstname": "James",
    "lastname": "Vargas",
    "description": "Editor",
    "id": 10
  }
]

Initial Access

ssh with the admin from before and...

Get the flag.

Privilege Escalation

Transfer linpeas and found...

We can pivot to user git using the private key but we don't have commands.

With the private key, we can execute git commands like clone the server repo.

We can put a command in backups.sh that will be executed every 3 minutes.

Wait and check /bin/bash.

Post Exploitation

Get the flag.