Let's go.
I started from small scan, found 2 ports open:
In 2nd terminal I tried few dictionaries with dirb. Results you'll find below:
Ok, good. Maybe we will find something interesting in the source code of the login page?
Let's get back to the results for our next port - 443:
Checking:
"Default" hardcoded password
Checking the main webroot:
Sure - but no. I decided to re-scan (dirb) web server again:
More files to check.
Well... at this stage I decided to try something else. The goal was to get inside the panel to check what else/more can be done (as an admin; so basically I was looking for some shell-upload possibility).
Let's do it:
And:
Cool ;] When I was looking for the links available on the page I saw that there is an interesting link:
My first thought was - LFI or RFI? ;] We will back to that later. In the middle of time I opened other console window to try to crack the password for HTTPS-panel.
Checking (logfile from script passe.py created to crack the password using rockyou.txt):
Now it should be easier to find a way to get a shell on the server, isn't it?
According to Exploit-DB poc:
... it should be easy to put a webshell via phpLiteAdmin. Checking (for phpinfo() as a 'test'):
So far, so good. Now it was a time to prepare a reverse shell (I used msfvenom to do that). After I tried few types of available shellcodes, finally I've received a meterpreter session:
More:
More:
Checking web directories:
Checking index file:
Not much. Checking PNG file (strings):
Good! Looks like we found ssh key ;] Noted down to use later...
I wasn't able to log in to ssh from Kali box so I decided to try the same from the local machine.
Key was copied via wget to /tmp/a directory:
And we are here:
After a while I found an interesting catalog on / called "report". Content below:
Checking user's directory - flag found ;)
Ok. Let's back to our report's. It looks like this is the log file ('report') from chkrootkit:
Why we can see that anyway?
After I saw that there are more and more 'reports' I was wondering if the cron is involved here:
Checking reset-file:
I switched the content of the reset-file to 'my own', like below:
After a while (with no revshell) I tried to figureout why the connection is not coming... Reason was simple:
[:
Ok, next. (According to HighOn.Coffee) I used another way to achieve these result:
I wasn't sure what should be done here, so I tried to google a little bit to find out if there is any vulnerability for available 'programs' installed on the target box. I found something interesting here.
Interestingly it was a good idea to check it out. I prepared a file (called phpsh.1 - see below) and grabbed it to the target host via wget. On Kali box I used nc -lvvp 7777 to listen for incoming connections:
When all of that was prepared I was ready to wait for the connection from remote host:
The flag:
I must admit that this was a nice idea to use chkrootkit as part of privesc here. Kudos for the author!;]
Big thanks goes to VulnHub for hosting all of those CTFs.
Cheers
o/
Brak komentarzy:
Prześlij komentarz