π€{THM} Jeff
Last updated
Last updated
Pwntilldawn event bring me to this box. Why? Because I donβt manage to enumerate subdomain at pwntilldawn event. Suck. This box category was hard not insane. Let go!! Enjoy the reading and donβt forget to drink water.
As usual, we start with nmap scanning and directory bruteforce. Since I got problem with gobuster (sad), I choose to use dirsearch for fast scanning and dirbuster for deep enumeration.
Just normal port. Let proceed to port 80 website.
Nothing appears on landing page. Once check the source code. Yeah. We need to put into our host.
Checking our directory, we found possible RCE where uploads file can be done and also backups.
On /uploads directory, I try to upload simple .php file, unfortunately, it just dead end. Rabbit hole!
Looking into backups, this must be something, I check with dirbuster.
We found .zip file here. Let download and see what inside.
It require password for extract this file. Let use papa john here. HEHE
Waiting for a while and we manage to get password. Use that password to extract locked file.
We got something here. Inside wpadmin got credential. WP mean WordPress. But we donβt find any directory refer to WordPress. Time to fuzz.
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://jeff.thm" -H "Host: FUZZ.jeff.thm"
After a while, we manage to get subdomain for this site. Let put into our host.
Wordpress blog site. Let enumerate again for this site.
From here, we got hint that author is user. You know what I means?
Proof that the user are correct. Since we have credential from downloaded file, let put it together.
We manage to get in as jeff. Let play around with the wordpress. To enumerate more can use wpscan.(I skip this part).
I always check for plugin and theme, since this two are common part for put reverse shell.
Add new plugin , be mind. The WordPress site quite slower and heavy. Drink some coffee while waiting it to respond.
Put our reverse plugin here. It must be in .zip file. I have my reverse plugin. Can refer to this site.
Wait what, this mean this site are out of memory, I think. Humm. Let go to exploit theme.
It appears to have 2 unused theme which is seventeen and nineteen. We can put .php reverse shell on one of this themes.
We need to change into old theme which 17 or 19.
Throw our reverse shell here, and update the file
I will show like this. Now set our listener and visit this page.
We manage to get our shell.
As usual, once we manage to get access as www-data, always stable the shell. Let play around and find something interesting.
Whatt!! Nothing here. Since we cannot find anything, let start with last directory we access.
Finally we found something here. Checking into ftp_backup.php.
Based on my understanding from this snippet, this file will do backup for database. Unfortunately , it not finish and ftp port are not open. Since I manage to get credentials. Let find method can be used to return and access user.
Since I remember we in docker, that mean I need to bypass container and do wildcard injection. I found this script after do some research or can use wild injection.
And upload this script into victim machine. Change the permission and run again. Donβt forget listener :D
In our listener,
We manage to gain access as backupmgr. Let proceed with 3 favorite's things here. Or can upload linpeas.
Since we know another user is jeff. Let find any possible thing to enumerate jeff.
We found the possible way to escalate user jeff. Let read this file.
From this systool, it shown interesting part where it read message.txt file once we ask to change password (option2). Since we known exact location , Let change it instead give normal instruction to give exact password.
ln -sf /var/backups/jeff.bak message.txt
Run again the tools and we manage to get credentials for jeff.
Here we manage to get user flag. Before that, we need to change into md5sum .
We got restricted shell. To bypass it, at login page, we need to put "bash --noprofile"
It will have default bash and not restricted. Let stable shell and find privilege.
So many steps already, but we still at user. HMM. Let see what jeff can do.
Crontab can be accessed. Looking into gtfo bin, we can bypass crontab using
Sudo crontab -e
:!/bin/bash
Bash -p
And we got root.
Sorry cannot proof and provide picture since the machine already time ups and my machine got error to start the machine again. Will update soon.
