search

🟑magic

hashtag
Recon & Enum

hashtag
port scan

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

hashtag
directory scan

/assets (Status: 301) [Size: 313]
/images (Status: 301) [Size: 313]
/index.php (Status: 200) [Size: 5069]
/index.php (Status: 200) [Size: 5067]
/login.php (Status: 200) [Size: 4221]
/logout.php (Status: 302) [Size: 0]
/upload.php (Status: 302) [Size: 2957]

hashtag
website

their is bunch of images on web page and their is also login functionality on bottom left corner of web page

hashtag
http://10.10.10.185/login.php

This can be bypass using sql authentication attack , after getting login we got redirect to /upload.php which has file upload vulnerability

hashtag
http://10.10.10.185/upload.php

if we directly visit this page it redirects us to /login.php , but when intercepted the respeonse in burp and after checking page content and page size it shows the same page , To bypass this use burp - match and replace from 302 found -> 200 ok

hashtag
shell as www-data

hashtag
file upload exploitation

we can use 2 methods to exploit this vulnerability :- 1. using exiftool to inject reverse shell into image we are uploading 2. injecting payload in middle of the file image content i used second , and got the shell

hashtag
privesc www-data => theseus

after getting shell , i found 1 more file inside /var/www/magic directory

hashtag
db.php5

This is mysql file , after reading the file we get to know the credentials of mysql of user theseus but unfortunately mysql is not present in machine , but their is mysqldump present , we can use this

after the dump , we got the result. inside result i found this which i think is interesting

i use su command with creds username = theseus & pass = Th3s3usW4sK1ng , and got the shell

hashtag
privesc theseus => root

hashtag
linpeas.sh

found unknown binary > /bin/sysinfo , and it also executable as root

PreviousdoctorNextknife

Last updated