WWRDPLDN

This shall be a record of my escapades into the world of ones and zeros.

Billu:b0x

wwrdpldnadmin | 30 June, 2017 19:28

This Virtual machine is using ubuntu (32 bit)

Other packages used: -

  • PHP
  • Apache
  • MySQL

This virtual machine is having medium difficulty level with tricks.

One need to break into VM using web application and from there escalate privileges to gain root access


For any query ping me at https://twitter.com/IndiShell1046

Enjoy the machine

First I want to say that this one was way easier than it was supposed to be, I think. I had this one done in about an hour. I don't think it was meant to be so easy since it is listed as medium.

I loaded the vm into player and ran netdiscover to find its IP, which turned out to be 192.168.241.133.

The more I do these, the more I tend to run a couple scans back to back, nmap, nikto and dirbuster. I haven't found one that doesn't use port 80 so I've stopped waiting for the nmap scan to complete before doing the other two. It tends to make things go faster. I often go back and run additional scans based on the information that comes back but it has made me a little more efficient.

Nmap shows only 22 and 80 open.

alt

I ran Dirbuster with a combination of wordlists and found multple interesting files and folders.

I found folders named images, upload_images and phpmy.

I found files named add.php, c.php, in.php, show.php and test.php.

I spent most of the time trying to figure out how to use add.php to upload a shell without any success. Then I turned my attention to test.php. upon loading the page I received an interesting message. "'file' parameter is empty. Please provide file path in the 'file' parameter."

ok,...could it be that easy?

curl 192.168.241.133/test.php -d file=/etc/passwd

alt

umm,...yes, yes it can be.

So let's start looking at files. I poked at all the files I found, c.php being the most interesting to me.

curl 192.168.241.133/test.php –d file=/var/www/c.php

alt

OOOH creds,...where do they go,...

They don't work in the login prompt on the home page. I checked out the \phpmy directory earlier and found phpmyadmin, let's try that.

Well,..there it is.

alt

I was just about to go digging into this to try to upload my favorite php script using the query builder but I decided to try to grab to php config file first.

curl 192.168.241.133/test.php -d file=/var/www/phpmy/config.inc.php

alt

wait,...really?

ssh root@192.168.241.133

alt

Umm,...I don't think it was meant to be that simple.

 

 
Accessible and Valid XHTML 1.0 Strict and CSS
Powered by LifeType - Design by BalearWeb