EnumerationِNmap TIME!.
![Scanning-0]()
ِِِAs you can see 80,22,8080 are open.
Let`s start checking
![http-1]()
![8080-2]()
ِAfter some recon i didn`t found anything in 8080.
ِBut i searched for megahosting exploit i found LFI so let`s try it.
![LFI-3]()
ِBANG ! , we got credentials.
After some search i found out that we can have a reverse shell by uploading it to manager page
Exploitation ![To-Create-Payload-and-upload-it-3]()
ِAfte uploading our shell let`s execute it.
![executing-the-payload-4]()
![LISTENING-34-N-A5-OSH-3-LA-L-MAKNA-5]()
After some recon i found a backup file at /var/www/html
So i made an http server to download it to my machine and crack it
Let`s crack it with FCRACKZIP
![Crack-Backup-Zip-File]()
Privilege EscalationI didn`t find anything interesting in the file , In the recon phase i found ash user so i tried the password on it
![User-hasheno]()
BAM ! , we logged in and got user hash
I found this article about LXD privilege escalation and knowing that the user is in LXD group lxd privilege escalation
Let`s build !
![BUILDING-L-H3-ML-BEH-PRIV-ESC]()
![start-server-to-priv-escalation]()
![Rooted]()
Thanks for Reading 🙏
ِNmap TIME!.
ِِِAs you can see 80,22,8080 are open.
Let`s start checking
ِAfter some recon i didn`t found anything in 8080.
ِBut i searched for megahosting exploit i found LFI so let`s try it.
ِBANG ! , we got credentials.
After some search i found out that we can have a reverse shell by uploading it to manager page
Exploitation ![To-Create-Payload-and-upload-it-3]()
ِAfte uploading our shell let`s execute it.
![executing-the-payload-4]()
![LISTENING-34-N-A5-OSH-3-LA-L-MAKNA-5]()
After some recon i found a backup file at /var/www/html
So i made an http server to download it to my machine and crack it
Let`s crack it with FCRACKZIP
![Crack-Backup-Zip-File]()
Privilege EscalationI didn`t find anything interesting in the file , In the recon phase i found ash user so i tried the password on it
![User-hasheno]()
BAM ! , we logged in and got user hash
I found this article about LXD privilege escalation and knowing that the user is in LXD group lxd privilege escalation
Let`s build !
![BUILDING-L-H3-ML-BEH-PRIV-ESC]()
![start-server-to-priv-escalation]()
![Rooted]()
Thanks for Reading 🙏
ِAfte uploading our shell let`s execute it.
After some recon i found a backup file at /var/www/html
So i made an http server to download it to my machine and crack it
Let`s crack it with FCRACKZIP
Privilege EscalationI didn`t find anything interesting in the file , In the recon phase i found ash user so i tried the password on it
![User-hasheno]()
BAM ! , we logged in and got user hash
I found this article about LXD privilege escalation and knowing that the user is in LXD group lxd privilege escalation
Let`s build !
![BUILDING-L-H3-ML-BEH-PRIV-ESC]()
![start-server-to-priv-escalation]()
![Rooted]()
Thanks for Reading 🙏
I didn`t find anything interesting in the file , In the recon phase i found ash user so i tried the password on it
BAM ! , we logged in and got user hash
I found this article about LXD privilege escalation and knowing that the user is in LXD group lxd privilege escalation
Let`s build !
![BUILDING-L-H3-ML-BEH-PRIV-ESC]()
![start-server-to-priv-escalation]()
Thanks for Reading 🙏
