This is EVILBOX: ONE from VulnHub.
I’ve been busy, super tired and yeah whatever let’s make excuses. Nah. This box is easy rated and it is genuinely easy.
Ports
HTTP and SSH.
HTTP
Quick bit of feroxbusting:
What does evil.php give us?
Not much. Let’s get fuzzing. I use Burp Turbo Intruder:
GET /secret/evil.php?%s=/etc/passwd HTTP/1.1
We find:
http://192.168.1.92/secret/evil.php?command=/etc/passwd
Works. We have a user, mowree. Let’s look….
GET /secret/evil.php?command=/home/mowree/.ssh/id_rsa HTTP/1.1
Yep. It’s encrypted. Copy and break:
We can SSH in.
Root
Check sudo -l; nope. Nothing in /etc/crontab, nothing else on the web. No other uses. Run linpeas - writeable /etc/passwd.