SCANNING:
Network Scanning:
Through initial network scanning using nmap we found that port 80 and 22 was open. Using browser window we opened the page and found a submission form for faculty ID.
Using nmap script we had enumerated some other webpages, and two of them were admin login page and home page. We go through its source code and found that it has a ajax.php validation going through. So using burp interception we captured the request with default credentials for admin and modified it. When the page responses with a 302 error just change it into 200 and send back the request, it help us to get inside successfully .
FOOTHOLD
While looking through the webpage, we found a PDF download, we go for download and when the request was captured it was base64 and url encoded. Once we decoded it it was a html request.
After some research work we found what type of malicious payload is to be set.
(For more info look into the following link https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f )
Finally we encode our payload and set it along with the pdf download request.
We send it through repeater and found our pdf name in response. Look into browser there we will have a new page with our faculty names, slightly move cursor along each and every character. We will get attachment pop from there we can download it. So initially we set our payload for /etc/passwd. Our attack was successful server give back that particular file.
Now we want to read file in /var/www/html our first try was no successful because those file path was wrong so in order to get the correct path, we trigger another error with the admin login page
Which end up in giving the correct file path. Once we downloaded file named admin_class.php we go through the code and find another file named db_connect. We downloaded it and surprisingly we found a password.
Now we go for the ssh connection with gbyolo as username and password from db_connect.
When we run sudo -l we got a meta-git folder in /usr/local/bin. So we googled many ways to exploit meta-git and finally got one, which ended up in revealing id_rsa for user developer.
PRIVILLEGE ESCALATION
We run linpeas.sh to find any possible vulnerabilities and found that gdb is running.
Both developer and root are in the same group for running gdb.
We googled for how to do privilege escalation on linux capabilities, which ended up in hacktricks
We found a process running by root and get its process id, and run gdb with that process id and enter our revers shell payload along with the payload from hacktricks, and opened a netcat and wait for the hit..
PWNED
Comments