Nmap scan:
Port 5000 presented a website where we could use tools like nmap and msfvenom:
We can try it out and it works:
I tested all forms of command injection, but nothing worked. So, I started checking whether the tools themselves had exploits, and I was surprised to see that msfvenom was exploitable:
We just need to replace the payload in the PoC to a reverse shell and generate the APK file:
Afterwards, we can upload this as a template file on the machine and change the LHOST to our IP address:
Then we would get a shell:
There was another user named pwn on the machine, so that's probably the next path. Within the home directory of pwn, we can see two other files:
The bash script was running some kind of logger that reads input from /home/kid/logs/hackers and executes commands based on it. Take note that we have control over this file.
Now, we can see how the ${ip} variable is not being sanitised and is run with sh -c, so this is our RCE point. Some testing revealed that the format of the log written is [2021-05-28 12:37:32.655374] 10.10.16.9. We can append a reverse shell to the end:
After echoing it in, we would gain anoter reverse shell:
When checking sudo privileges, we see that we can run msfconsole as root.
The thing about msfconsole is that we can run shell commands in it. In short, we have root privileges just by doing sudo msfconsole:
Rooted!
