Traceback
Nmap
Jumping straight into port 80 we are presented with the page below:
Viewing the source for this web page shows the hacker has left a hint 'Some of the best web shells that you might need ;)'.
From here I executed dirsearch.py with the CommonBackdoors-PHP.fuzz.txt wordlist from seclists which can be found here: https://github.com/danielmiessler/SecLists.
dirsearch.py finds smevk.php from the wordlist. Browsing to the PHP webshell shows the following below:
Looking up the credentials for the SmEvK web shell we get the following GitHub link:https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/smevk.php
This shows that the defaults are admin:admin
Once logged in we get the page below:
Heading over to the 'console' tab we see that when running which nc
that netcat
is installed. I set up a local listener on my attacking machine.
Then executed the following command on the web shell to gain a full reverse shell.
Checking the users in /home/
we have sysadmin and webadmin. The user webadmin has a note.txt file in their desktop.
Following this I was unable to find the tool which was mentioned. I then checked sudo privileges with sudo -l
and took note that we can run sudo
as the user sysadmin without specifying a password on the path /home/sysadmin/luvit
.
Running the following command allows us to start the binary but seems to throw an exception and kick us out immediately.
Looking up LUA on GTFOBins shows we may be able to spawn a system shell with the privileges of the executing user.
Using this I run the following command replacing 'lua' with 'luvit'.
Which in turn gives us a shell as the user 'sysadmin'. Next use the following command to upgrade the shell.
From here I opted to gain SSH
access. As we do not know the password of the sysadmin user I will instead drop my attacking machines id_rsa.pub contents into /home/sysadmin/.ssh/authorized_keys
file.
If you do not have a id_rsa.pub
file on the attacking machine run the following command and hit enter on all options.
Then cat the contents of id_rsa.pub
.
Then echo in the authorized_keys
file on the target machine.
We can then log into SSH
as the user sysadmin.
We also see the hacker has altered the MOTD banner when logging in. We can check the permissions of this in /etc/updatemotd.d/
.
As we have write permissions over these files I will simply inject a netcat
reverse shell into the first script run which is 00-header.
Set a netcat
listener on the attacking machine then run the following command on the target machine:
Once completed log out of SSH
and back in to execute. The login should hang and fail to complete.
Resulting in a root shell on the netcat
listener.
Last updated