![]() We could have also run a reverse shell to another port on our machine to get a root shell but for me this was enough. Make it executable: chmod +x /tmp/lshw (otherwise it won’t run).Add our script: echo "cat /root/* > /tmp/mine.txt" > /tmp/lshw. ![]() I ran strings on it and found that it was calling some other commands, from relative paths.Ī classical privilege escalation: we just needed to overwrite the path so that the system would first find our binary to run and hence we would have root command execution! Here are the steps I took: I started my linux enumeration with linpeas.sh and quickly saw that there was an interesting binary that belonged to root and had the SUID bit set, which meant that it was probably the privilege escalation vector. I then did su theseus with password Th3s3usW4sK1ng and have user! ![]() Retrieving user credentials from the database setAttribute ( PDO :: ATTR_ERRMODE, PDO :: ERRMODE_EXCEPTION ) $pdo -> setAttribute ( PDO :: ATTR_DEFAULT_FETCH_MODE, PDO :: FETCH_OBJ ) $stmt = $pdo -> query ( "select * from login" ) $result = $stmt -> fetch ( PDO :: FETCH_ASSOC ) print_r ( $result ) Database :: disconnect () } catch ( PDOException $e ) ?> I then decided to use the script that was available to us and show the tables: I thought that the password may have been in the MySQL database but tried accessing it with the mysql command but it wasn’t installed. However, I tried to change into that use but the password wasn’t valid. Once in, I first upgraded my shell with python3 -c "import pty pty.spawn('/bin/bash')" and started inspecting the files on the web application for sensitive information and found an interesting file: db.php5: I then modified the payload to include a one-liner reverse shell and set up a listener with netcat ( nc -lnvp 8001): Indeed it was:įrom there I just accessed the path with the command I wanted and we have RCE! I didn’t know where it was uploaded though, so went back to the main page and checked the source code to find if the directory was disclosed. php.jpg extension with PHP code after those bytes, as that can lead to command execution and bypass the extension filter at the same time. However, the following message appeared, which made me suspect it was also checking the magic bytes at the beginning of the file:įinally, I decided to add the magic bytes of an JPEG file ( FF D8 FF DB) and use the. Then I tried renaming the file to have a PNG extension. I first tried to upload a text file and the application checks for image extensions:Īpplication blocking non-image extensions I tried a simple SQL injection and entered username admin and password ' OR '1'='1 and guess what? I was in and presented with the upload page! We bump into what looks like a simple PHP application that is used as a gallery and can see that it has a log in page. Given that we only have SSH on port 22 and an HTTP server on port 80 I assumed that the initial exploitation vector had to be through the web app. # Nmap done at Sat May 16 11:28:55 2020 - 1 IP address (1 host up) scanned in 106.80 seconds Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |