Checking out the target address shows we land on a page headed ‘Fake Admin Area’. This page has a query box. I was unable to get any output from this or perform any command injection.
Further enumeration shows the /admin page being valid. This presents that page below.
Nothing interesting here but we do have something in the page source.
So far nowhere for this to be used but we can take a note of this. I decided from here to run some more specific enumeration against the target. Running
dirsearch.py to append .txt and .php to end of a wordlist I was able to identify the /superadmin.php webpage.
So far this looks the same as the other page almost but we can actually test to see if the ping function works.
tcpdump on our attacking machine to listen in on the interface tun0 for ICMP packets we can ping our attacking machine and can confirm if we take receipt of ICMP packets.
Then after pinging our attacking machine from the web interface we see results which show ping is working.
Ideally we need to perform some form of command injection. Testing with the interface shows we need a IP at the begging of the command regardless. The linked GitHub has a large amount of command injection techniques to try: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
After some testing I found the following to work:
Switching over to
Burpsuite we can see the value
192.168.49.79 | id was sent as a query and returned valid results in the response.
From here I ran the following command in a terminal to generate double base64 encoded output.
Then encoded the output combined with the ping part of the command with Burpsuite encoder.
Then submitted the URL encoded value as a parameter in
Resulting in a reverse shell on our
From here I then transferred over
linpeas which after running found the binary ‘find’ has the SUID bit set.
Searching GTFOBins we find this can be used to spawn a root shell.
I then run the following command to gain a root shell.