The first thing to start I used Nmap

nmpa [IP] -sCV

I have 2 ports:
22 SSH
80 HTTP
After I write the IP & the name of the web vulnnet.thm in /etc/hosts I can go to the web site
I don’t find anything useful in the web site so I run the feroxbuster to search for directories
Again nothing interesting and can help me, so now I used the gobuster tool to search for
subdomains for the vulnnet.thm
I found these subdomains admin1 & api & shop & blog, in admin1.vulnnet.thm I found this :

So now I used the feroxbuster again on the new URL = admin1.vulnnet.thm

I found these paths:

Fileadmin & index.php & typo3
The fileadmin had _timp_ and user_upload
And the typo3 had sysext/backend/
In the admin1.vulnnet.thm/typo3 I found a login page.

And for the http://admin1.vulnnet.thm/typo3/sysext/backend/ I found this:

Here I move to the other subdomains and start from the blog subdomain.
In the blog.vulnnet.thm I don’t see anything interesting but in the source code of the first post I
found this =>
“getJSON('http://api.vulnnet.thm/vn_internals/api/v2/fetch/?blog=1',
function(err, data)”

I check this for a SQL injection and that work this URL had a SQL injection, so I used the
sqlmap tool.
First I search for the tables and columns:
Sqlmap -u [URL] –dbs –tables
I found a vn_admin database & blog database & the information_schema table database.
In the vn_admin database table I found a be_users so I want to see that:
sqlmap -u [URL] --dbs -D vn_admin -T be_users --columns
Here I want to see the users and the passwords so I but them in the command.
sqlmap -u [URL] --dbs -D vn_admin -T be_users -C username,password –dump
Now I make a brute force to the password and use it to connect.
It takes too long to crack the password.
Now we have the password and the username we can log in to the CMD.

After a go through the page there an option to upload a file.

So here I want to upload a PHP reverse shell I used the reverse shell code in pentestmonkey
GitHub.

He give me an error when I upload the PHP file so I search and found in the setting a Configure
Installation-Wide Options and there I search for the file Deny and I Delete that and now I can upload the
file.

I type this to start the reverse shell >> http://admin1.vulnnet.thm/fileadmin/user_upload/phpRev.php

I tried to print the user.txt but we need permissions so I found the .mozilla/firefox that maybe stores
personal data I take that to my kali.

After I have the file now I need a tool to decrypt the data from this file so I used firefox_decrypt from
GitHub.

And inside the .mozilla/fierfox there a file named profiles.ini I change one of the path inside him to
2fjnrwth.default-release >>>
Now I used this command>>>

python3 firefox_decrypt.py ../.mozilla/firefox

Now I connect to SSH as the system user that had the user.txt file.

And now I can read the user.txt.

ROOT FLAG ➔

Here I tried the find command to search for files or any command that can I use to make Privilege,

But the getcap command work so I used : getcap -r / 2>/dev/null

I search for openssl =ep

Follow the steps in this page.