# Write-up ### Objectives In this machine, we need to retrieve two specific items: **user flag** and **root flag.** *** ### Reconnaissance We begin by running an **nmap** scan to discover open ports on the target machine: ```bash sudo nmap -F ``` The **-F** flag scans the top 100 most common ports.

The scan reveals two open ports: * **22** (SSH) * **80** (HTTP) Since we currently lack SSH credentials, we explore port **80** by visiting: ```bash http://:80 ``` We find the default Apache template indicating successful configuration but no other visible content. We proceed with **dirbuster** to identify potential directories. *** ### Directory Enumeration Dirbuster quickly reveals several directories, including **/content** and **/icons**.

We inspect **/content**, which appears promising. Inside, we find a welcome message for **SweetRice**, a website management system. The message mentions the site is under construction and can be opened by unchecking "Site close" in the admin panel.

Continuing with **/content/inc/**, we find three notable items: * **htaccess.txt**: No significant information. * **lastest.txt**: Indicates the version of SweetRice (1.5.1). * **mysql\_backup/**: Contains a database backup.

*** ### Exploitation We download the database file from **mysql\_backup/** and examine its contents. The database includes several tables: * **category**, **comment**, **item\_data**, **item\_plugin**, **links**, **options** Further down, we discover what appears to be a username and a hashed password.

To identify the plain text password, we use [**crackstation.net**](https://crackstation.net). The hash is in **MD5** and translates to **Password123**. This gives us potential credentials: ``` Username: manager Password: Password123 ``` *** ### Admin Panel Access We continue with **dirbuster**, which reveals **/content/as/**, the admin login page. We attempt to log in using the discovered credentials. The login is successful! We confirm the CMS version is **1.5.1**.

*** ### Vulnerability Exploitation We search for vulnerabilities on [**exploit-db.com**](https://exploit-db.com) for SweetRice **1.5.1** and find five verified exploits. We choose the **CSRF / PHP Code Execution** exploit. The exploit suggests modifying the **Ads** section of the admin panel. We adjust the **action** value in the exploit script to point to: ``` /content/as/ ```

We save the script and execute it by accessing **/content/inc/ads/**. A brief message reading 'Hacked' appears for two seconds, followed by a new ad titled 'hacked', confirming the exploit worked. *** ### Reverse Shell We replace the exploit script with a reverse shell payload, using the [**pentestmonkey**](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) PHP reverse shell. Before saving, we modify two variables: * **$ip**: Our IP address (found using **ifconfig** under **tun0**). * **$port**: The port for the connection (**4444**).

We start a listener on our local machine: ```bash nc -lnvp 4444 ``` * **nc**: Netcat, the tool to listen on a port. * **-l**: Listen mode. * **-n**: Numeric-only IP addresses. * **-v**: Verbose output. * **-p**: Specify the port. Upon executing the modified script, the page keeps loading, and our listener confirms we have shell access. Running **whoami** reveals we are **www-data**. We retrieve **user.txt** from the home directory.

*** ### Privilege Escalation To escalate privileges, we check what we can execute with sudo: ```bash sudo -l ```

We find we can run the following as root without a password: ```perl /usr/bin/perl /home/itguy/backup.pl ``` We inspect **backup.pl**: ```bash cat /home/itguy/backup.pl ```

The script executes **/etc/copy.sh**. Inspecting **copy.sh** shows a shell connecting to **192.168.0.190:5554**.

To gain root access, we overwrite **copy.sh** with a bash shell: ```bash echo "/bin/bash" > /etc/copy.sh ```

We run the script as sudo: ```perl sudo /usr/bin/perl /home/itguy/backup.pl ```

Running **whoami** now confirms we are **root**. We locate **root.txt** and read its contents.