h0j3n.medium.com

Vulnhub : M87

H0j3n
~3 minutes

H0j3n

Nmap

Port 80

First of all let's check what directory do we have using any tools that are suitable.

/admin
/assets
/admin/backup

The login page at the first one is only html and not php. So I try to look at /admininstead. Tried with admin:admin but not working.

Press enter or click to view image in full size

I try to look at /admin/backup and found the same thing?

Press enter or click to view image in full size

But again nothing… After enumerating some more I thought I should give it a try to enumerate the parameter. I write my own tools which you can get at references below!

python ezpzLFI.py paramlfi 'http://IP/admin/backup/index.php'

Press enter or click to view image in full size

Found a possible one. Let’s check parameter id .

Press enter or click to view image in full size

Okay never thought it could have SQL error . I tried to use sqlmap and manage to dump credentials.

sqlmap -u http://IP/admin/backup/index.php?id=1 -D db -T users --dump

Let’s try on another possible parameter which is file.

Press enter or click to view image in full size

Found one user which is charlotte . Now I have possible credentials to try. I tried on port 80 manually input each one but it’s not working.

Get H0j3n’s stories in your inbox

Join Medium for free to get updates from this writer.

Charlotte (User)

But then I remember port 9090.

Press enter or click to view image in full size

At first, I thought this one could give me something but after do some research. It is Cockpit (Server Administration) and which I could get access to the server if manage to get authenticated. Tried some username and password but can’t manage to get access. Then I remember charlotte the only user on the machine. Tried that with the admin password and finally can get access.

Press enter or click to view image in full size

There is a terminal inside

Press enter or click to view image in full size

Let’s get a reverse shell!

Root

I have tried sudo -l but dont’ have any sudo permissions. I tried to enumerate manually.

#Suid
find / -perm /4000 2>/dev/null#Capabilities
getcap / -r 2>/dev/null

Later I found that there is cap_setuid in /usr/bin/old .

I tried to run the binary and found out that it running python 2.7.16 !

Since it has setuid capabilities. This one liner could get me rooted.

/usr/bin/old -c 'import os; os.setuid(0); os.system("/bin/bash")'

Enjoy the box! Thank you mindsflee :)

References