Major port 22 ad 80, means 22 for SSH 80 for web application to find a foothold.
On web page we don’t find a lot again, so let’s burp it and see what’s going on.
From the dirbuster result we come across alot of webpages some of them were giving 200 but no actual useful data.
Upon clicking nav we get Accounts page which upon intercepting we see we’re getting 302, just a little trick here , modifying 302 to 200 gives me a page to create any user.
from here i can create any user and then login using those credentials.
Now from the dirbuster we found another url: files.php which gave me a download.php?file=32 url, well without actual login account we were not able to get to this url, it was continuouly asking me to login.
Well after creating a user as shown above then again tried to access that download.php?file=32 url and bingo, there’s some zip file.
Let’s unzip and see what does it contain.
Well i don’t find anything useful here.
Well, may be i was wrong, config.php had some juice in it.
Well now we have username and password for the MYSQL Database.
Okay well, reading all the files seriously now and I can see logs.php is using unsanitized user input to execute OS command may be we can use that to perform command injection.
Okay let’s get a python reverse shell payload.
we got the www-data user
well it’s low level user and we can’t even see the user.txt from here, so we need to do privilege escalation here.
mysql -u root -D previse -p
enter password: mySQL_p@ssw0rd!:)
password cracked: ilovecody112235!
Now after SSH performing sudo -l
And reading that file you will get to know this script is running gzip.
So we can perform path injection.
Now we can manipulate gzip to perform any task.
now go to /tmp and copy your shell to the gzip as below.
Then Chmod 777 gzip to change the permission and then,
export PATH=/tmp:$PATH to set the path variable.
Now, Running the access_backup.sh file and well in a different tab set up your netcat listener.
Browse through the root.txt file and capture the flag.
Sayonara for tonight.