Hi all, in this walk-through I will solve the vulnhub machine infovore:1 created by @theart42 & @4nqr34z.
Let’s start with open ports on the machine. The nmap shows only port 80 is open.
When I visit the IP in the browser, below page opened.
To enumerate further, I used dirb and it shows below results.
info.php shows PHP info.
The website has a title “include me”. Might be the hint for LFI. So I used parameters like page, file etc but it did not showed anything. So I decided to fuzz it.WFUZZ found the parameter “filename”.
I tried to include some other files like auth.log etc., but failed to include those. After searching on google, I came across this article, which shows it is possible to gain RCE through PHP info when file_uploads=on and there is an LFI. In our case we have these conditions satisfied. You can find more info about this here.
I downloaded the python script to exploit this issue. Add php-reverse-shell as payload to get reverse shell. Made changes like. Path of the filename and parameter “index.php?filename=” in GET request. Changed [tmp_name]=> to this [tmp_name] =>. Started the netcat listener on port 5555 on my kali machine. Run the python code to get reverse shell.
Reverse Shell from the box:
It looks like we are in docker container. Downloaded the linPEAS.sh on the box, it showed .oldkeys.tgz in / directory.
Copied the fie .oldkeys.tgz in /tmp directory. Extracted the files from, it gives below files.
Copied the root file to the local kali machine to crack it using JOHN.
Got the password for root for docker container.
Root on docker.
It looks like we can now ssh to the IP 192.168.150.1 as admin.
When I tried to login first using id_rsa, I got error as I don’t have a proper terminal. Then I user ssh -P — root command to login using root and then login as admin using id_rsa key.
User admin is in the docker group, so it is possible to escalate to root.