First of all let's check what directory do we have using any tools that are suitable.
The login page at the first one is only html and not php. So I try to look at
/admininstead. Tried with
admin:admin but not working.
I try to look at
/admin/backup and found the same thing?
But again nothing… After enumerating some more I thought I should give it a try to enumerate the parameter. I write my own tools which you can get at references below!
python ezpzLFI.py paramlfi 'http://IP/admin/backup/index.php'
Found a possible one. Let’s check parameter id .
Okay never thought it could have SQL error . I tried to use sqlmap and manage to dump credentials.
sqlmap -u http://IP/admin/backup/index.php?id=1 -D db -T users --dump
Let’s try on another possible parameter which is file.
Found one user which is
charlotte . Now I have possible credentials to try. I tried on port 80 manually input each one but it’s not working.
But then I remember port 9090.
At first, I thought this one could give me something but after do some research. It is Cockpit (Server Administration) and which I could get access to the server if manage to get authenticated. Tried some username and password but can’t manage to get access. Then I remember charlotte the only user on the machine. Tried that with the admin password and finally can get access.
There is a terminal inside
Let’s get a reverse shell!
I have tried sudo -l but dont’ have any sudo permissions. I tried to enumerate manually.
find / -perm /4000 2>/dev/null#Capabilities
getcap / -r 2>/dev/null
Later I found that there is
I tried to run the binary and found out that it running
python 2.7.16 !
Since it has setuid capabilities. This one liner could get me rooted.
/usr/bin/old -c 'import os; os.setuid(0); os.system("/bin/bash")'
Enjoy the box! Thank you mindsflee :)