[OSCP Practice Series 32] Proving Grounds — Marketing
Machine Type: Windows
Initial
Nmap discovered that port 22 and port 80 are open. I added the ‘marketing.pg’ domain to the /etc/hosts
file, and now, let’s proceed.
Port 80 seems like a static landing page.
There’s directory listing.
I decided to run Dirbuster for a while. Dirbuster discovered common files and directories like assets, vendor, etc. But there’s this one directory I’ve never seen before, which is ‘/old.’
When I visit it, it is the same as the page before.
After checking for a while, it turns out there’s a clue for us in the source file.
We got a subdomain. I tried to brute-force the subdomain previously, but found nothing. Perhaps we can’t brute-force it because it has an uncommon name.
Let’s add it to our hosts file and continue.
Foothold
A LimeSurvey site. We have a potential user with the email admin@marketing.pg
. There’s no navigation, but there is a /admin
directory.
We know there’s potentially a user called ‘admin.’ Let’s try to guess the credentials. Okay, admin:password
works!
We got the LimeSurvey version as well now.
Oh nice, there’s an exploit available https://github.com/Y1LD1R1M-1337/Limesurvey-RCE.
I followed the steps on the GitHub page, updated the php-rev.php
file, uploaded and installed the plugin, activated it, and opened it. Surely, I got a shell.
There’s two users, m.sander
and t.miller
.
Getting User
There’s a MySQL running. Which means that usually there’s a config file containing database credentials that we can access.
I googled the LimeSurvey config file location.
Indeed, it is under /application/config/config.php
.
We got the database credentials.
'username' => 'limesurvey_user',
'password' => 'EzPwz2022_dev1$$23!!',
No new info on the database. Perhaps we can use the database password to escalate our privileges.
Indeed we can get to t.miller
using the database password.
Getting Second User
We can run /usr/bin/sync.sh
as m.sander.
The script is just updating /home/m.sander/personal/notes.txt
if there’s any difference. However, the thing is, it will display the difference as well. What if we created a random file and linked it to a file that only m.sander
could read, then ran the sync.sh
? Then it will show the difference, right? And because of that, we can see the content.
The issue is we don’t know which important file only m.sander
can read.
Yap we don’t know.
After a while looking, I got a clue that we need to look at our groups.
We are belonging to the mlocate group.
find / -group mlocate 2>/dev/null | grep -v '^/proc\|^/run\|^/sys\|^/snap'
There’s mlocate.db
. Lots of things inside it. I still cannot get a thing. I decided to get more clues; it turns out there’s a file name inside the mlocate.db file called creds-for-2022.txt
, which is located inside /home/m.sander/personal
.
Jeez, how are we even going to know that.
Okay, so I created a symlink to that file and ran the sync.sh
again in the hope of getting the difference.
ln -sf /home/m.sander/personal/creds-for-2022.txt fk_this_box
sudo -u m.sander /usr/bin/sync.sh fk_this_box
We got the difference and we got a credentials.
m.sander: pa$$word@123$$4!!
m.sander: EzPwz2022_dev1$$23!!
m.sander: EzPwz2022_12345678#!
Use the credentials to SSH to m.sander
’s account. The third one worked.
Getting Root
local.txt: eca1ceedd69ffd9e28f1c27e2142321b
proof.txt: bdbf2746346fe7f3bee907e0c1cee966
Learned
- Enumerate EVERYTHING, look through everything, and every little possibilities, even web source-code.
- Look through unusual groups.