FunboxEasy
Nmap
Checking out port 80 we have the default install page for Apache 2.
Checking the source on this page reveals no interesting information. From here I executed dirsearch.py against the target machine.
Checking the directory /store we are presented a web page for 'CSE bookstore'.
Researching exploits on Google for 'CSE bookstore' we are presented with an exploit for Unauthenticated RCE. The exploit PoC has been linked below.
After downloading the PoC I executed it with the following command:
When prompted to launch a shell hit 'y'.
This shell stops us from properly navigating the target machine and will return us back to the current working directory when the command has finished executing. As such I checked what binary's are installed on the target machine so we can spawn a shell where we can navigate the target properly.
As per above perl is installed on the system. From here I started a netcat listener on my attacking machine.
I then executed the following command to gain a perl reverse shell.
Moving into the home directory and then into the user tony's home directory we have passwords.txt. Reading the contents of this text file shows the following information:
I then able to login with the SSH password for the user tony.
Checking sudo -l for sudo permissions we come into a multitude of entries.
As we can execute sudo as the user root without supplying a password here I will use pkexec to spawn a bash shell as root.
Last updated
