Kzk's garden

Machine - Previse

3 min read

Machine - Previse

  • search ports 80 and 22
  • get info of the ports 80 is a php
  • fuzz the content
    • Found a config.php file
    • found a header.php (Seem to only contain the headers of the index)
    • and a couple of 302 folders
000000194:   200        0 L      0 W        0 Ch        "config"               000000285:   302        0 L      0 W        0 Ch        "download"             000000342:   302        148 L    371 W      7240 Ch     "files"               000000390:   200        20 L     64 W       980 Ch      "header"               000000422:   302        71 L     164 W      2801 Ch     "index"               000000489:   200        53 L     138 W      2224 Ch     "login"               000000493:   302        0 L      0 W        0 Ch        "logs"                 000000794:   302        116 L    239 W      3777 Ch     "status"
  • the page has a big form, let’s try sql injection with sqlmap — the SQL injection didnt work :(
  • Able to create a new account, using burp and changing status code from 302 to 200 in the accounts.php
  • once with the account, you get a new portal where you can download the whole php code
  • There is an exec command that we can exploit to get a reverse shell
  • with reverse shell in the machine with www-data, we can connect to the database and there are some user and password
+----+----------+------------------------------------+---------------------+
| id | username | password                           | created_at          |
+----+----------+------------------------------------+---------------------+
|  1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 |
|  2 | admin    | $1$🧂llol$uXqzPW6SXUONt.AIOBqLy. | 2021-10-16 18:20:53 |
|  3 | user1    | $1$🧂llol$MoziX/4Akv37NxdU2ZIeG1 | 2021-10-16 18:30:02 |
|  4 | ian3130  | $1$🧂llol$BP0FnjXWfkmOpIV2lDXFv1 | 2021-10-16 18:33:35 |
|  5 | Plato1   | $1$🧂llol$dDlAFqmWTFH3GLZ7uTyvu. | 2021-10-16 18:53:07 |
|  6 | person   | $1$🧂llol$79cV9c1FNnnr7LcfPFlqQ0 | 2021-10-16 19:18:21 |
|  7 | test123  | $1$🧂llol$wzYjWk/p5usz8BzxvPrXs1 | 2021-10-16 21:40:53 |
|  8 | kzkkzk   | $1$🧂llol$3eLmgTqLDTqEX/TudqGnt1 | 2021-10-17 01:00:25 |
|  9 | master   | $1$🧂llol$nfmnVoR44RBQJi93c7n6K0 | 2021-10-17 01:34:37 |
+----+----------+------------------------------------+---------------------+
  • Let’s try to crack them…
    • john hashes.txt --wordlist=/usr/share/dict/rockyou.txt --format=md5crypt-long
  • once we had the password, we can login with ssh as m4lwhere and the password
  • if we do a sudo -l to list the binaries that we can execute as root
  • there is a python script, that executes other programs, so we hijack the path environment, create a binary with the same name that does chmod u+s /bin/bash. Set the environment PATH to make the new script higher priority
  • get root by simply bash -p

Graph View

Backlinks