This is EVILBOX: ONE from VulnHub.
I’ve been busy, super tired and yeah whatever let’s make excuses. Nah. This box is easy rated and it is genuinely easy.
HTTP and SSH.
Quick bit of feroxbusting:
What does evil.php give us?
Not much. Let’s get fuzzing. I use Burp Turbo Intruder:
GET /secret/evil.php?%s=/etc/passwd HTTP/1.1
Works. We have a user, mowree. Let’s look….
GET /secret/evil.php?command=/home/mowree/.ssh/id_rsa HTTP/1.1
Yep. It’s encrypted. Copy and break:
We can SSH in.
Check sudo -l; nope. Nothing in /etc/crontab, nothing else on the web. No other uses. Run linpeas - writeable /etc/passwd.