🟢previse

Recon & Enum

port scan

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

directory scan

Nothing new finding , what is discoverable in this , is already accessiable by web page

website

when i entered the ip "10.10.11.104" ir redirects me to "10.10.11.104/login.php" , so their is login page i use EAR vulnerability to bypass the login page

http://10.10.11.104/logs.php

we got functionality to download logs with specified delimeter :- comma , space , tab

shell as www-data

I captured the request in burp , and in delimeter parameter i tried command injection and it worked , then i injected the rev shell and i het the call back on my listner

privesc www-data => m4lwhere => root

www-data -> m4lwhere

on http://10.10.11.104/acounts.php their is functionality to download the site abckup file , i downloaded it and after unzip i got bunch of files

cat config.php
xtx
<?php

function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}

?>

lets connect to mysql , and i get the hash for user "m4lwhere"

mysql -e 'select * from accounts' -u root  previse -p
Enter password:
+----+----------+------------------------------------+---------------------+
| id | username | password                           | created_at          |
+----+----------+------------------------------------+---------------------+
|  1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36   |
|  2 | vaibhav  | $1$🧂llol$6EeWgoBQj2zKVIVN.TdRU. | 2023-05-10 15:39:00   |
+----+----------+------------------------------------+---------------------+

after cracking it i got the password ilovecody112235! , su / ssh ....and got the shell as m4lwhere

m4lwhere -> root

i did sudo -l and find a file

cat /opt/scripts/access_backup.sh
#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

the problem is not in script , the thing is that the "gzip" binary with root priviledges , so i can simply inject my current path in path variable and make a fake binary with the name gzip and inject my rev_ shell in it and after that just execute gzip ... and got the call back on my nc listner

privesc www-data => root

linpeas.sh

linpeas found that the application is vulnerable to cve-2021-4034 , so i googled it

GitHub - berdav/CVE-2021-4034: CVE-2021-4034 1dayGitHub

run this , and get the shell as root

Previouspoison Nextirked

Last updated 2 years ago

hashtagRecon & Enum

hashtagport scan

hashtagdirectory scan

hashtagwebsite

hashtaghttp://10.10.11.104 -> redirects -> http://10.10.11.104/login.php

hashtaghttp://10.10.11.104/logs.php

hashtagshell as www-data

hashtagprivesc www-data => m4lwhere => root

hashtagwww-data -> m4lwhere

hashtagm4lwhere -> root

hashtagprivesc www-data => root

hashtaglinpeas.sh