Codify
Initial Scan
HTTP
Had to edit the host file to get the Webpage
Checking out their About Us page
whoami shows us the svc
user. Also looking at /etc/passwd
we see an additional user, joshua
BruteForce
Trying to run Hydra against the user joshua for a password
joshua:spongebob1
Obtaining shell
Running it normally didn't work so I encoded it
Full command
Foothold
We have shell as svc
Seeing what permissions we have
User Flag
After getting into shell from the SVC user, I got Joshuas password with hydra.
User flag: c53cdd4688463871ba3f4020ab6f3ccb
Priv Esc
We have run the note of "User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh" So looking at the shell file
Running that as root as get
Root pass: kljh12k3jhaskjh12kjh3
Root flag: 4e43f866588b3b3433196af3cef8b768
Last updated