Hack Fish.io -

After exploring the file system, we discover that the sudo command has been configured to allow the fish user to run any command without a password:

http://10.10.10.15/admin Indeed, we find a simple login form. After attempting some common credentials, we manage to log in using the username admin and password password123 . hack fish.io

http://10.10.10.15/uploads/shell.php A meterpreter shell opens, allowing us to navigate the file system and escalate privileges. After exploring the file system, we discover that

You're interested in writing about Hack The Box's Fish.io, I presume? You're interested in writing about Hack The Box's Fish

We create a PHP reverse shell using a tool like msfvenom :

sudo -u fish /bin/bash Switching to the fish user, we find that the user's home directory contains a config file with sensitive information:

Next, we visit the HTTP service running on port 80: