本文已参与「新人创作礼」活动,一起开启掘金创作之路
Hi ,welcome back to geight . Today I will bring you a walk-through for a vulnerable machine named FunboxEasy from PGP lab . You can also find this box on the vulnhub .
Scan
nmap
As usuall ,I usually scan the box with nmap roughly to find which port can I use .
| port | state | service |
|---|---|---|
| 22/tcp | open | OpenSSH 8.2p1 |
| 80/tcp | open | Apache httpd 2.4.41 |
port 80
Using dirsearch to find some useful pathes and files .
There were so many directer waiting me to explore .So,I had to look though them one by one .
At the same , I will collect the url which may had SQl inject
192.168.240.111/store/book.php?bookisbn=978-0-7303-1484-4
192.168.240.111/gym/index.php?error=1
/secret/page showed me a say of Oscar wilde
/robots.txt gave me another path I had not find .
/profile.php when I entered , it redirect me to index.php
and showed me a log panel .
/admin another log panel . It seemd like a Content manage system. And all the url above the /admin would be redirect to /admin/index.php
/store When I view this page , I found it use a cms named CSE bookstore , trying to notice us it use mysql , hahaha .
Shell as WWW
So I searched for exploit on google . And finding this
A sql injection of /store/bookPerPub.php?pubid=1,but with using of sqlmap , I found there were not any informations useful in this database .
So I searched this CMS at searchsploit again . And finding another vulnabliity .
there was a Authentication Bypass at CSE'logpage , and I can use admin:%' or '1'='1 to log in to background .
P.S. the password of admin account is just admin...
By the way , I logged into the background and found a buttom "add new book"
Aftet entered it , I could add shell code as the front page of a new book .
I used the shell code of kali , /usr/share/webshells/php/php-reverse-shell.php.
After that I opened nc listener and typed the book I added .
But nothing happend except a load fail image . So I opened "image" in a new page .
Althought It gave me an error , I got a www shell.
Shell as Tony
It truely took me much time . I even saw the username in the /home path .
At first , I considered there might be something hided in the config files of the website . And I found nothing about password of higher priviledge user of the system .
Then I tried to crake the password of Tony , but also lost .
In the end , An idea came to my mind , I had to do as usual do , to check every path which was impossible to bring me a change to success .
So I opened /home/tony and saw the password.txt . The password file showed me the gym site password , bookstore password and the most important password of the tony .
However , when I connected to the machine with ssh , it refused my request . So I had to use su to log into the tony account .
Shell as root
As we see in the picture above . I could use sudo to execute many of the command .
But with the trying of above commands one by one . I found only three of them were exist .
rlogin,pkexec,time
I trying rlogin to log as root in using of the address 127.0.0.1 , but fail .
Besides , there were vulnerability in the remaining two .
pkexec
This command make me can execute as root . So I just had to enter
sudo pkexec /bin/bash
And I got a root shell
time
It may be rarer . Command time allow user calculate the time of a command use . Before the calculation it will execute the command .
So I entered it .
sudo time /bin/bash
\
