WebCal
Pg Practice WebCal writeup
Nmap
FTP
On port 21 we have Pure-FTPd running. I tried anonymous login and was unable to authenticate.
SMTP
I ran default scripts and version enumeration against port 25 and was unable to gain interesting information. I will instead move onto port 80 for the time being.
HTTP
The root page for Port 80 takes us to the following:
Before navigating the website I ran nikto
and dirsearch.py
for further enumeration.
I looked through the discovered directories from dirsearch.py
and was unable to identify any attack vectors. Looking through the output for nikto
we do have a directory of /webcalendar/login.php.
We arrive at a login page for WebCalendar v1.2.3. I looked up default credentials which are admin:admin and was denied a valid login. I researched exploits for WebCalendar and came to a RCE exploit.
As per the defined usage in the exploit code I ran the exploit.
We now have a shell on the target machine and we are running as the user www-data. I found with this shell that when you trying changing directories or running scripts it would have unexpected behaviour.
I performed a quick check to see if python was installed using which python
. After confirming Python is installed I tried a quick one liner reverse shell to see if we can get a more stable one.
First I started a netcat
listener on my attacking machine:
The run the following command on the target machine:
We now have a more stable shell.
I changed to the /tmp/ directory and set up a Python SimpleHTTPServer
on my attacking machine and downloaded linpeas.sh
to assist with privilege escalation.
After running linpeas
I had some trouble identifying a privilege escalation vector and fell into some rabbit holes. I decided to go back some and Google search for other WebCal exploits. I come across the following exploit.
Except I was not actually interested in the exploit but in code we see a mention of database credentials.
I then looked for the settings.php file on the target machine which was on the /includes/ directory. Here I was able to find some database credentials.
We have the credentials: wc:edjfbxMT7KKo2PPC
I was then enable to login to MySQL with the credentials we have gathered.
I was then able to pull the WebCal admin username and password hash from the intranet database.
I ID'd the hash as being a MD5 hash. At this point I tried cracking with hashcat
on multiple wordlists including rockyou.txt and was unable to crack.
After searching around for privilege escalation vectors I was absolutely stuck for an exploit. I then checked linux-exploit-suggester.
The script directs to the memodipper exploit being a highly probable chance of exploitation. Download the exploit code and transfer it over to the target machine so we can compile.
I compiled the exploit with gcc
and allowed the binary to be executable with chmod
. Once completed I then called the exploit and was given a root shell.
Last updated