Enumeration

Nmap

Initial nmap scan revealed HTTP, SSH, FTP and uncommon web ports were open.

00 - nmap

Web Enumeration

The port 8715 was asking for credentials. Port 8088 and 80 was simple katana picture.

01 - web

01 - web 2

I applied directory brute forcing to the standard HTTP port and found ebook endpoint.

02 - ebook

The endpoint was vulnerable to sql injeciton but I could not get any information other than the credentials admin:admin.

03 - ebook sqli

Then searching the ebook version revealed it was vulnerable to malicious file upload through admin_edit.php and admin_add.php, but when I tried those endpoints it gave 404 not found.

So I applied directory brute forcing to port 8088 and found some valid endpoints.

04 - 8088 brute

Exploitation

The upload.php and upload.html enpoints seemed suspicious. The upload.html endpoint was uploading 1 or 2 files to other web server.

05 - upload html

So I created reverse shell file in php language and uploaded it. The site showed that the file is moved to manager site.

06 - uplaod rev

So I thought maybe it was in port 8715 where the credential was asked. I tried found credential admin:admin and it worked. I got the reverse shell.

07 - admin admin rev php

08 - local

Privilege Escalation

I ran linpeas.sh and transfered it through same manager web server, that www-data had write access to and analyzed it. It revealed that the python2.7 had setuid capabilities.

09 - linpeas

So I could simply create python file or more simply use ‘-c’ flag to run python directly and get the root.

10 - got the root

<
Previous Post
Funbox - Proving Grounds Play
>
Next Post
Vegeta1 - Proving Grounds Play