TCM Security — Practical Ethical Hacking Course —Dev Walktrough
I first did the classic way of Scanning & Enumeration that is ARP Scanning and NetDiscover :
Then I scanned the machine using NMAP and got the following results :
So here we got ssh, nfs, http & mountd open. Now I started the FFuF Scan to know about the directories present on the machine. I found :
Then I jumped onto the WebApp and found out that BoltWire was not installed correctly.
Then I saw that I can mount the machine with my Kali. So I first used showmount which gave me info like this :
So, I created a directory on my Kali as /mnt/dev. When I checked the files and directories present I found a zip file.
Now, to unzip the file I required a password so I installed fcrackzip. I then gave it the famous RockYou wordlist and it found me the password for the zip file.
After checking that I got the message from the developer which was saved as todo.txt . This file gave me a clear indication that the BoltWire is working fine and I need to exploit it. Also, it had signature as jp which gave us a clear indication about the user who would have a login to the machine.
I, then, searched for an exploit for the BoltWire and found :
So, I searched for it and applied that in the Url. BOOM I got the password list for the machine.
After this I started exploring more about the directories that I got. I found out that there is an /app/config directory and I found config.yml file.
There I found some potential database password :
Then I used this information to login into SSH. And I got the attempt correct and got logged into it.
But I just had the SUDO permission for ZIP. I got to the website : https://gtfobins.github.io/
I found out that now I can get the SUDO Permissions at the shell. So I used it and got a flag with the text :
Thankyou✨!
Clap 👏, if you liked that!!
