Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objectives

In this machine, we need to retrieve two specific items: user flag and root flag.

Reconnaissance

We begin by running an nmap scan to discover open ports on the target machine:

sudo nmap -F <ip_victim>

The -F flag scans the top 100 most common ports.

The scan reveals two open ports:

  • 22 (SSH)

  • 80 (HTTP)

Since we currently lack SSH credentials, we explore port 80 by visiting:

http://<ip_victim>:80

We find the default Apache template indicating successful configuration but no other visible content. We proceed with dirbuster to identify potential directories.

Directory Enumeration

Dirbuster quickly reveals several directories, including /content and /icons.

We inspect /content, which appears promising.

Inside, we find a welcome message for SweetRice, a website management system. The message mentions the site is under construction and can be opened by unchecking "Site close" in the admin panel.

Continuing with /content/inc/, we find three notable items:

  • htaccess.txt: No significant information.

  • lastest.txt: Indicates the version of SweetRice (1.5.1).

  • mysql_backup/: Contains a database backup.

Exploitation

We download the database file from mysql_backup/ and examine its contents.

The database includes several tables:

  • category, comment, item_data, item_plugin, links, options

Further down, we discover what appears to be a username and a hashed password.

To identify the plain text password, we use crackstation.net.

The hash is in MD5 and translates to Password123. This gives us potential credentials:

Username: manager
Password: Password123

Admin Panel Access

We continue with dirbuster, which reveals /content/as/, the admin login page. We attempt to log in using the discovered credentials.

The login is successful! We confirm the CMS version is 1.5.1.

Vulnerability Exploitation

We search for vulnerabilities on exploit-db.com for SweetRice 1.5.1 and find five verified exploits. We choose the CSRF / PHP Code Execution exploit.

The exploit suggests modifying the Ads section of the admin panel. We adjust the action value in the exploit script to point to:

/content/as/

We save the script and execute it by accessing /content/inc/ads/.

A brief message reading 'Hacked' appears for two seconds, followed by a new ad titled 'hacked', confirming the exploit worked.

Reverse Shell

We replace the exploit script with a reverse shell payload, using the pentestmonkey PHP reverse shell.

Before saving, we modify two variables:

  • $ip: Our IP address (found using ifconfig under tun0).

  • $port: The port for the connection (4444).

We start a listener on our local machine:

nc -lnvp 4444

  • nc: Netcat, the tool to listen on a port.

  • -l: Listen mode.

  • -n: Numeric-only IP addresses.

  • -v: Verbose output.

  • -p: Specify the port.

Upon executing the modified script, the page keeps loading, and our listener confirms we have shell access.

Running whoami reveals we are www-data. We retrieve user.txt from the home directory.

Privilege Escalation

To escalate privileges, we check what we can execute with sudo:

sudo -l

We find we can run the following as root without a password:

/usr/bin/perl /home/itguy/backup.pl

We inspect backup.pl:

cat /home/itguy/backup.pl

The script executes /etc/copy.sh. Inspecting copy.sh shows a shell connecting to 192.168.0.190:5554.

To gain root access, we overwrite copy.sh with a bash shell:

echo "/bin/bash" > /etc/copy.sh

We run the script as sudo:

sudo /usr/bin/perl /home/itguy/backup.pl

Running whoami now confirms we are root. We locate root.txt and read its contents.

PreviousLazyAdminNextTechnical Report

Last updated