bash Copy Code Copied ./usr/local/bin/scrambled /tmp/exploit.sh This will set the setuid bit on the /bin/bash shell, allowing us to execute it as the root user.
bash Copy Code Copied curl -s http://scrambled.htb/scrambled.db -o scrambled.db sqlite3 scrambled.db Upon analyzing the database, we find a table called users with a single row containing a username and password. We can use the credentials found in the database to log in to the web interface. However, we need to find a way to execute commands on the system. scrambled hackthebox
bash Copy Code Copied echo -e “GET / HTTP/1.1 Host: scrambled.htb ” | nc 10.10 .11.168 8080 However, the service seems to be filtering out certain characters. After some trial and error, we find that we can bypass the command injection filters by using a combination of URL encoding and piping commands. bash Copy Code Copied
bash Copy Code Copied echo “10.10.11.168 scrambled.htb” >> /etc/hosts nmap -sV -sC -oA initial_scan 10.10 .11.168 The nmap scan reveals that the box is running SSH, HTTP, and an unknown service on port 8080. Let’s explore the web interface running on port 80. However, we need to find a way to
bash Copy Code Copied nc 10.10 .11.168 8080 The service appears to be a simple TCP service that accepts and executes shell commands.
bash Copy Code Copied curl http://scrambled.htb The web interface appears to be a simple login page. We can try to brute-force the login credentials using a tool like hydra .
bash Copy Code Copied ./usr/local/bin/scrambled The binary appears to be a simple C program that executes a shell command.