Final box of the series. We have a good toolbox now, time to pull it all together and see what we can do with this box. I’ll start off with this:
sudo masscan $IP -p 0–65535 -e tun0 — rate 10000 — open-only -oL “Base.masscan”
nmap -sC -sV -p22,80 -oN Base.nmap $IP
~/kaliOptHome/feroxbuster/feroxbuster — url http://$IP
We set up our variable, got two ports from masscan, enumerated with nmap, and dove in to port 80 directory busting. We found a _uploaded and login page. Let’s pull out the big guns and let sqlmap have a crack at that login page: sqlmap http://$IP/login/login.php — data=”username=user,password=pass” — level=5 — risk=3. That was a bust, but an easy check. What about those old credentials? We can use BurpSuite and use a cluster bomb to try:
Well, worth a shot. Reused creds seemed to be a theme of these boxes, so nothing there. When we saw the login page, we jumped straight to sqlmap for login attempts we didn’t really enumerate what we found. By doing a curl $IP/login/ we can see that there are a few files available. We can download two files: login.php and login.php.swp. Doing a curl on both files downloads them. Knowing what a swp file is, I attempt to run the command:
Well, it says we can’t use it but we got other options. Let’s just check for strings. When I do, it seems to be in reverse order. Let’s try that again but reverse the order!
And look at that, we got the php code that is on the server. Perfect, but what does this do for us? We know it will go to upload.php when we are validated, but we still have to make it through with a username/password. Knowing php, it seems they used a “double =” instead of a “triple =” for the comparison, so we can do some type juggling. If we make the variables arrays, it will be null which equals 0. Let’s do it on the command-line so we can see it work: curl -X POST $IP/login/login.php -d “username=user&password=pass” -c cookie.jar which calls the login page and stores any cookies in my cookie.jar. Now that I’m authenticated, I can use that same cookie jar to navigate to the next webpage.
And now we can get to the upload.php page. Hurray. Now we just need a php reverse shell to upload and we can get a shell back. You can use one of the ones in the /usr/share/webshells directory or use msfvenom to create one. Doesn’t matter how you do it, just get on in there!
So we made it on the box and we got our shell upgraded. Best we got using php, so let’s see. Back when we listed files, there was a config.php that was on the file server, but it didn’t download anything. Looking at it on the server, it has a password in it. Well, password reuse right? Let’s try to switch users with su john and winner again. We laterally moved from www-data to john. Can we keep going? Let’s try sudo -l and look, we can run the find command as sudo. I’ve seen this before, but if you haven’t a quick jump to gtfobins and you’ll get root just like I did. In the words of Ron Burgundy, “That escalated quickly!”
The end of this box was a bit anti-climatic, but getting to user was a new-one. Reading source code and understanding code flow is another good tool needed to do penetration testing. So that wraps up starting point. Look back over your notes, check your toolbox, and I think we are ready for some HTB boxes on your own!