Summary
In this post, we covered web application enumeration using FFUF and Gobuster as tools for this purpose. We proceeded further by re-using credentials and established foothold on the machine. Privilege escalation was performed by editing the base64 library file base64.py that’s used by a python script running as a cron job by the root user.
The target is a Linux computer that is running a web server. After some enumeration, we discover a note that discloses the location of a hidden login page. This page uses clientside javascript code for authentication, allowing us to read clear text credentials. We use these credentials to log into an FTP server, where we discover some pcap files. Inside one of the captures, we discover additional credentials that work for ssh. We use strings to obtain the password and access a different user after gaining access to the machine and finding a binary that checks for the username and password. We write the latter to obtain root access since a python file that is executed by a cronjob every minute imports a writable library.
