top of page
Search

CengBox: 1 Vulnhub Walkthrough

Updated: Jun 5, 2020

Walkthrough of vulnerable machine CengBox . It is a intermediate level machine!

you can download this box from vulnhub.


IP of the target : 192.168.43.133

First of all we run nmap to find open ports and services running in the target system using the command .


nmap -sC -sV -Pn -p- 192.168.43.133

now lets enumerate the port 80 to find something useful .

That's all we have on port 80 :(

Now we decided to run dirb to find hidden directories and webpages using the command .


dirb http://192.168.43.133 /usr/share/wordlists/dirb/big.txt

/masteradmin/ looks interesting . Lets again use the dirb tool using the command 


dirb http://192.168.43.133/masteradmin/ /usr/share/wordlists/dirb/big.txt -X .php

lets open the login page /masteradmin/login.php

try some basic SQL injection payload . Started ,with 1' or '1'='1'# as username and password and yes we succeed.

lets upload a .php file ( I know this will not work but my brain said : Try this )

Okay , now what is .CENG file I searched on the internet about this file extension but found nothing and after a lot of thinking ( not really) we changed the .php to .php.ceng and again tried to upload the file , and yes this time we succeed in uploading the file , Now lets visit the URL /uploads/my.php.ceng to execute our shell code

and yes we are in as user www-data. now changed directory to /home and found one user there name cengover . If we go back to our notes then there is db.php in /masteradmin/ . So by changing the directory to /var/www/html/masteradmin/ we read the content of db.php file and found some creds there.

we used this password to login into mysql and found something interesting there

we tried this password for user cengover and we are in as user cengover

we checked for user permissions but nothing and no SUID binary , now I transferred pspy64 in /tmp and after running this binary we found a cronjob.

we change our directory to /opt/ and found there a python file which is writable

we edit the file with a quick reverse shell.

And 2000 years later we got root!