Hi all, hope you all are safe. In this walkthrough, I will walk you through how to get root on the CLOVER:1 machine. It is created by 0xJin & 0xBushido. You can download it from this link.
Let’s start with nmap.
Nmap to find open ports:
Service version detection using nmap:
Downloaded all files from FTP on the local machine.
Nothing so interesting in files downloaded using FTP its rabbit hole!!
Nmap scan shows robots.txt, with below entries, another rabbit hole.
I decided to run gobuster and found few new entries.
Visited /website in a browser, it opens below page.
Also tried common username and password combination in phpMyAdmin login page, but unable to login.Then I viewed the source code for /website in the browser and it gave me the hint.
The CMS ColdFusion is used to build the website.I searched for ColdFusion Login URL and found that it starts with “CFIDE” directory. I visited it in the browser and it gave me blow result.
I opened Administrator directory. I tried gobuster with “.cfm” extension, but unable to fetch additional results. Then I decide to use extensions like “.php,.html,.zip,.bak” etc. it gave me the below result.
Visited /login.php and asked for the username and password. Tried different common username and passwords, but failed to login.
Then I used simple SQLi payload to login, and I have successfully logged into the application.
But this does not give anything that I can use, so I decide to use SQLmap to exploit SQL injection further. I saved the login request in a file to use with sqlmap.
Used below command to retrieve current database.
sqlmap -r /tmp/clover_login_sqlmap — current-db — batch — risk=3 — level=5
To retrieve the table name in the clover database, used below command.
sqlmap -r /tmp/clover_login_sqlmap -D clover — tables — batch — risk=3 — level=5
Fetching column names:
sqlmap -r /tmp/clover_login_sqlmap -D clover -T users — columns — batch — risk=3 — level=5
Final step to dump data in table users.Now I have usernames and MD5 hashed passwords.
I tried to crack the hashes online and able to crack for user asta. Used cracked password to login as asta.
I used linPEAS.sh to automatically enumerate the box further, the section Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)” section it showed the passwd.sword file.
I decided to take a look at the file and it gives me partial password for user sword:
I need to create a password file with crunch to bruteforce the ssh for user sword.
Now I have a username and list of passwords, tried SSH brute-force using hydra to find the password for user sword.
hydra -l sword -P /tmp/clover/sword_pass ssh://192.168.9.94 -t 30 -V
Hydra successfully found the password for sword.
After login to sword using ssh, I usedfind command to see the suid binaries and found one.
When I execute the deamon.sh it gives the prompt and its LUA, gtfobins helped me to get root using below command.
os.execute("/bin/sh")
Thanks for reading. Hope you like it.
References:
