Hello,
This is my first writeup for the Hack The Box platform. The machine is Beep.
Let’s run nmap to see which services are running on the machine:
There were a lot of services.
On port 443 there was Apache with elastix:
gobuster -w /root/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u https://10.10.10.7 gives a bunch of diretiories;
This is my first writeup for the Hack The Box platform. The machine is Beep.
Let’s run nmap to see which services are running on the machine:
There were a lot of services.
On port 443 there was Apache with elastix:
gobuster -w /root/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u https://10.10.10.7 gives a bunch of diretiories;
Running Searchsploit on elastix, we find local file inclusion vulnerability.
searchsploit -x php/webapps/37637.pl : to view the code
The LFI Exploit is a dead end as we are restricted :https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf&module=Accounts&action.
Next we run dirbuster and see /cgi-bin/ which combined with bash gives shellshock :) Port 10000 is also open and takes us to a Webmin portal login page.
We intercept the request with burp and send to repeater then change the user agent to shell shock
Upon forwarding the request, we don't get hello output as this is not apache shellshock.
Inputting the sleep command to 1 sec, it takes 2 secs to respond giving blind code execution.
Start ncat -lvnp 8081
We use bash reverse shell from Pentest monkey reverse shell cheat sheet and we get a root shell
Bye!!! FreRic Security © 2018
Comments
Post a Comment