As usual, we start with a Nmap scan.
There's the faculty.htb
domain running on port 80. We can add this to the /etc/hosts
file.
Basic PHP login page for a Faculty Scheduling System is present here:
Checking for common directories such as the /admin
endpoint reveals another login page.
Proxying the traffic in Burp, sending a '
character as a username triggers an SQL error.
Now that we have confirmed SQL Injection is present, we can dump out all the tables within the database from this using sqlmap
.
The users
table had an Administrator
user with a hashed password, however the hash cannot be cracked.
In this case, we can dump the faculty
table and attempt to login via the original login method. There's a PIN number associated with the Administrator
user and we can use that to login.
WItin the website, there's a PDF Generator that would display certain courses.
We can download this PDF and use exiftool
to find out more information about it.
mPDF 6.0 is vulnerable to an LFI exploit that would allow for us to read the files on the server. With this, we can have to send this payload encoded with Base64:
This would load a PDF file that contains the /etc/passwd
file.
The /etc/passwd
file would be attached to the main PDF like this:
We can then read it to find out the users that are present on the machine.
From here, we can try to find the admin.php
or db.php
file within the machine to find some credentials. Doing a quick gobuster
scan reveals that there is a db_connect.php
file that we can read to find a password.
With this, we can ssh
in as the gbyolo
user using the password found.
The other user found on the machine is the developer
user. When checking the sudo
privileges of the gbyolo
user, we find this:
meta-git
is a binary that allows us to clone repos as per git. However, this was vulnerable to an RCE exploit, meaning we can execute commands as developer
.
Using the PoC, we can read the id_rsa
file from the user's home directory.
Then, we can SSH in as developer
.
Doing initial enumeration reveals that the developer
user is part of the debug
group.
Running LinPEAS also reveals that we can run GDB as we are part of the debug
group.
In this case, gdb
can be used to attach ourselves to a process run by root and spawn more child processes. These child processes would all be running as root and we can basically gain RCE as root in this manner. This would stop the execution process and make the root thread spawn whatever other functions that we want.
First, we would need to find a process running as root, and preferably a Python or Bash one so we can execute commands easily.
The PID in this case is 621
, so we can run gdb -p 621
to attach ourselves there. Afterwards, I called the system()
function to spawn a reverse shell as root.