Nmap
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32–3.10, Linux 2.6.32–3.13
Uptime guess: 49.710 days (since Mon Aug 12 18:37:47 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zerosHere we get to see that only http port is open where we just get a png saying keep clam and drink fristi so after this i went to see dirsearch and there i found /cola /sisi and /beer at robots.txt
As cola sisi beer are some name of drinks but when we visit there we found another png saying “this is not the url you are looking for” as we had seen on the default page we found fristi and it’s also a drink , what if we try fristi
At http://ip/firsti i found a login page , when looking for source page i found a base 64
After dencoding and after decoding we found a png tag at decoded value of base64 and then we decoded base64 to png
So i got the password and user we got a source code
Using this we got logged and found a upload option which only uploads image files , so we made php reverse shell and bypassed it using double extension, and uploaded it(php-reverse-shell.php.png) , and found that the uploaded files are stored at /uploads
And got reverse shell at “nc”
Got reverse shell of ( apache) so after enumerating found notes.txt at eezeepz directory which seems to be very useful .
Here we get to see that we can use chmod, df ………. and given options from admin and can get them execute with admin , and then whatever we wrote in runthis at /tmp admin executes it as it is
So here we had given 777 permission at /home/admin, and got the right to move in admin directory
At admin directory i found cryptpass.py
bash-4.1# cat cryptpass.py
cat cryptpass.py
#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sysdef encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], ‘rot13’)cryptoResult=encodeString(sys.argv[1])
print cryptoResult
bash-4.1#
Where we can see that it’s encoding the string in rot13 and then it reverse it and then when we decode that string in base64 we got a plain text password for fristi user
And here we get the password for fristi and witched to it with su command and found that at sudo -l the user fristi can use doCom as sudo
So we just went to directory containing doCom (/var/fristigod/.secret_admin_stuff/) and then used the command
sudo -u fristi ./doCom /bin/bash -pAnd got the root
