search
GitHubPsMapExec

FunboxEasy

hashtag
Nmap

nmap 192.168.178.111 -p- -sS -sV

Host is up (0.097s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open  mysqlx?

Checking out port 80 we have the default install page for Apache 2.

Checking the source on this page reveals no interesting information. From here I executed dirsearch.py against the target machine.

Checking the directory /store we are presented a web page for 'CSE bookstore'.

/store

Researching exploits on Google for 'CSE bookstore' we are presented with an exploit for Unauthenticated RCE. The exploit PoC has been linked below.

LogoOnline Book Store 1.0 - Unauthenticated Remote Code ExecutionExploit Databasechevron-right

After downloading the PoC I executed it with the following command:

When prompted to launch a shell hit 'y'.

This shell stops us from properly navigating the target machine and will return us back to the current working directory when the command has finished executing. As such I checked what binary's are installed on the target machine so we can spawn a shell where we can navigate the target properly.

As per above perl is installed on the system. From here I started a netcat listener on my attacking machine.

I then executed the following command to gain a perl reverse shell.

Moving into the home directory and then into the user tony's home directory we have passwords.txt. Reading the contents of this text file shows the following information:

I then able to login with the SSH password for the user tony.

Checking sudo -l for sudo permissions we come into a multitude of entries.

As we can execute sudo as the user root without supplying a password here I will use pkexec to spawn a bash shell as root.

Last updated