Skip to content

Quackerjack 🔸

Enumeration

At port 8081 we have an rconfig service.

Searching for an exploit, we find:

Initial Access

The problem is that the final step, the execution of the reverse shell, is not working.

So we are going to use the created user and use another exploit from the inside.

https://gist.github.com/FlatL1neAPT/c2a339ca76d0db05a281f2e6e77ad56c

So upload in vendors a shell.php, capture the request with caido and put image/gif in content-type, then go to /images/vendor/shell.php to get a reverse shell.

Get the flag.

Privilege Escalation

Get credentials.

Inside mysql we have the admin user.

Using hashcat.

Looking for SUID, we find:

Post Exploitation

Get the flag.