Payday
Pg Practice Payday writeup
Nmap
HTTP
Default root page on port 80 takes us to a store page for CS-cart.
We can see from this page that this is a demo page that is currently running. With that we can try some common login credentials.
I tried admin:admin and was able to login to the web application. After logging in I could not see much had changed and was unable to find anything interesting. I quick Google search produces a potential authenticated RCE exploit.
I could not find anywhere to upload to the file manager and after a short while decided to not proceed with this exploit for the time being.
LFI
After further research on Google we also have a potential for a LFI exploit on CS-cart.
Lets test one of these and see if we can read /etc/passwd.
We have confirmed LFI and have read the passwd file. We can take note of the user 'patrick' which is the last entry on the file.
I tried reading other common LFI paths and could not find further information. The users patrick did not appear to have any SSH keys in /home/patrick/.ssh/
SSH Bruteforce
With a known users on the system we can try bruteforcing pop3 / imap over telnet and we can try SSH. I first set up crackmapexec to brute force SSH.
We soon find a valid set of credentials. patrick:patrick.
Low Privilege Access
We now attempt to login with SSH.
Privilege Escalation
Privilege escalation proved to be exceptionally easy on this machine. Before uploading any enumeration scripts I always perform a quick check on what we can run as sudo with sudo -l.
Here we can see patrick can run sudo as any user on any command. This is a quick win as we can run sudo as root on /bin/bash to spawn a root shell.
Last updated
