oline77.medium.com

Tenderfoot vulnhub writeup

Oline77
3–4 minutes

Oline77

Press enter or click to view image in full size

Tenderfoot box

Before, using the command sudo netdiscover, scan our local network to find tenderfoot IP.

Press enter or click to view image in full size

I started by scanning the target machine for any open ports and services running on those ports using the Nmap tool.

nmap -p- -A <IP>

Press enter or click to view image in full size

port 80 and port 80 are open

Start with a little dirb scan on the http website:

Press enter or click to view image in full size

And we found an interesting /entry.js who gives us this user in source-code : monica. Don’t forget it

Let’s start a new web enumeration. Download this wordlist and use it with gobuster.

gobuster dir --url http://<IP>/ --wordlist=/home/kali/Documents/big-dirbuster.txt -x js,php,txt,html,/ -t 100

Press enter or click to view image in full size

In /fotocd source-code, we found this :

It’s a brainfuck code. Decode ti with this online tool. It gives us the following message :

=================
JDk5OTkwJA== 
=================Did you found username ?
if yes:
 Then you have cred. of one user, enter into user account 
 by ssh port. syntax:{ssh username@IP}
if not:
 Then enumerate more :)
 G00D LUCK !

We have one username, let’s decode the base64 code.

echo "JDk5OTkwJA==" | base64 -d
>$99990$

Now we have username and password for ssh login : monica:$99990$

Press enter or click to view image in full size

Works !

Open user1 flag :

Press enter or click to view image in full size

To list all file in /monica, use the following command. -R allows to list subdirectories recursively.

ls -Ra

We found a note.txt

Press enter or click to view image in full size

Open it :

note.txt gives us the password to unzip joey.zip. Download joey.zip and unzip it with the command unzip joey.zip and the password #9175.

Get Oline77’s stories in your inbox

Join Medium for free to get updates from this writer.

Now wee need to crack gift.zip, we are going to use frackzip with the rockyou.txt list.

fcrackzip -u -D -p '/home/kali/Documents/rockyou.txt' gift.zip

Press enter or click to view image in full size

Works !

The extracted message tells us to find SUID or binaries. Using this command :

find / -type f -perm /6000 -ls 2>/dev/null

Press enter or click to view image in full size

Interesting /opt/exec/chandler

We run it and a bash shell spawn.

/opt/exec/chandler
We are chandler user

Now cd /home/chandler/.cache/ . 3 files, open note.txt :

Press enter or click to view image in full size

Decode the base32 password :

echo “OBQXG43XMQ5FSMDVINZDIY3LJUZQ====” | base32 -d
>passwd:Y0uCr4ckM3

And it’s time to be root. Exit our shell as chandler by authenticating as chandler with su chandler and password Y0uCr4ckM3. With sudo -l we see that we can execute ftp as root. On this site, we found a exploit with ftp, let’s use it :

Press enter or click to view image in full size

Root !
cd /root
cat *

Press enter or click to view image in full size

…well done