Going for the low hanging fruit I will dive straight into FTP on port 2112. On connection with anonymous login we see two files. I grab the index.php.bak and welcome.msg. I also tried file upload and was unsuccessful.
The contents of welcome.msg is shown below:
Not too sure what to do with this just yet but looks like some variables to me. Index.php.bak is more interesting however.
Reading through this the string ‘strcmp’ was interesting and it was a string I was not familier with or recognized as seeing before. After Googling the string for exploits I came across an interesting post relating to a CTF challenge where someone came across the same string.
Take mind of the following snippet from the blog post.
dirsearch.py against the target on port 80 reveals the /admin/ directory.
Checking out the page source we see some familiarity with the form action and the index.php.bak we came across earlier.
Looking back at just the PHP code from the index.php.bak we can see where the strcmp string comes into play.
We know that from the code the admin name exists and that the password is changed regularly base don the comment. Going by this we can try the strcmp bypass on the password value.
I caught a login request with Burp and set the password value to
After sending the request we get confirmation of login.
Once logged in we can follow the link on the dashboard to the admin area.
Heading over to logs we are given the option to pick from a subset of lots to retrieve from the webserver.
Retrieving a log and catching the request in
Burpsuite shows an interesting parameter.
Changing the file request to match
../../../../../../etc/passwd allows for us to perform LFI and read the contents of
Looking at the results we can see a hash for the user webadmin. Checking this hash against the
hashcat examples page shows this is a MD5crypt hash. I was then able to crack the hash on my Windows machine with
We now have the credentials
webadmin:dragon. I was then able to use these to login to SSH with.
sudo -l shows we can run the binary
/bin/nice on any file inside
/notes/* due to the wildcard.
Inside the notes directory we have two files. One that clears the screen and the other runs the
id command. With no writeable permissions on this folder we are unable to edit or replace the files and unable to use them for privilege escalation.
As the sudoers directory. has a wildcard in /notes/* we can abuse this to run a file with sudo permissions outside of the notes directory.
See below for more information:
We can create a shell.sh file in our home directory and execute with sudo.
Once completed then run the following command to gain a root shell.