sudo nmap -p- -sS -sV

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 lands us on to the Apache Ubuntu default installation page.

With nothing interesting in the page source code we can move onto directory enumeration with dirsearch.

python3 -u -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -t 60 --full-url 

dirsearch soon picks up the /content/ directory.

Browsing to the directory reveals SweetRice. Research on Google shows this is CMS software:

Running dirsearch further on the /content/ directory with the raft-large-files.txt wordlist from seclists finds the changelog.txt page:

python3 -u -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -t 60 --full-url  

We are now aware we are running version 1.5.0 of SweetRice. Looking at the directory of /content/as/ we arrive at a login page.

The directory /content/inc/ also contains various files: Of particular interest the the .sql backup in the mysql_backup folder.

Downloading the file and running the strings command against it reveals login information:

Where we have a username of manager and a password has of: 42f749ade7f9e195bf475f37a44cafcb. This hash MD5 hash and was cracked using Hashcat on Windows with the rockyou.txt wordlist.

We now have credentials manager:Password123. We can then login to the CMS.

Looking at the Media Centre blade on the right we can upload files to the server. Initially i tried a standard PHP reverse shell and this was filtered out. Saving the Shell as a .php5 was not filtered out for upload.

At which point I set up a netcat listener and executed the uploaded file.

From here we have access to the home directory of 'itguy' in /home/itguy. This directory contains some interesting files namely the file. The perl file is not writeable us but, looking at the containing script it executed /etc/ which we have write access to.

I then transferred over pspy32 to analyze if anything gets executed on a schedule in regards to either or /etc/ After waiting some time I assumed not.

After checking sudo privileges we see that www-data can run as any user without specifying a password.

From this we can replace the contents of /etc/ with a reverse shell knowing we can execute it with root privileges.

Checking the contents of /etc/ looks like it already contains a reverse shell...

From here I echo out the contents then replace it again this time with our attacking machine IP and port. Then execute /home/itguy/ using sudo under the context of root.

At which point we receive a reverse shell.

Last updated