Nineveh
Gaining Access
Nmap scan:
Port 80
I ran a gobuster
scan against the web application on port 80 and found a hidden directory:
When we visit the /department
directory, we are presented with a login page:
There was really nothing I could do with this page, so I moved on.
Port 443
I ran another gobuster
scan on this website, and found some directories:
There was a hidden /db
directory. When we visit it, we see a phpLiteAdmin instance:
This was another dead end however since we don't have credentials.
Brute Force
Normally, I don't brute force passwords unless it's my last lead, and at this juncture I had no leads. Brute forcing the logins on both pages were successful with username admin
.
With this, we can login to both of the services. Port 80 revealed an image:
We can instantly tell that this is vulnerable to LFI because of the notes
parameter in the URL. Next, we can view the phpLiteAdmin admin dashboard:
This version of phpLiteAdmin is vulnerable to RCE, and we can follow the PoC here:
However, this exploit requires us to be able to run the PHP file somehow, and the LFI on the port 80 dashboard allows for that since it is also in PHP.
Now that we have RCE, getting a shell is trivial.
Privilege Escalation
Chrootkit
When we move to the main directory, we can find a /report
directory present, and within it confirmation that the machine has a rootkit installed.
This root kit has some local privilege escalation exploits.
We can use this to gain a root
shell.