Base (Tier 2)

Description

Tier -> 2
Difficult -> Very Easy
OS -> Windows
Tags -> Vulnerability Assessment / Custom Applications / Source Code Analysis / Authentication / Apache / PHP / Reconnaissance / Web Site Structure Discovery / SUDO Exploitation / Authentication bypass / Clear Text Credentials / Arbitrary File Upload / Information Disclosure / PHP type juggling

nmap 10.129.93.15 -p- -Pn --min-rate 2500 -oN scan.txt

Answer: 22,80

Then to learn more about the services running on the open ports, I did an exhaustive scan

nmap 10.129.93.15 -p22,80 -sVC -oN serv_scan.txt

I found the HTTP protocol running on port 80 so I went to the browser to explore the content and found a website for the services of a company. I explored the sections of the site but for the moment the only interesting thing was the Contact section, which had a form that I filled out, but trying to submit, it didn't work and showed an error message

I continued exploring the sections, reaching the Login button which redirected me to a login page. I tried logging in with common credentials but it didn't work. What caught my attention was the route to this site on the URL, which wasn't calling the source file directly but using a relative route. Based on this, I tried reaching just the folder from which it was being taken and noticed other exposed files

Answer: /login/login.php

Answer: 3

Answer: .swpstrcmp()

With a little research, I found that the .swp extension is for temporary files from text editors such as vi, vim, nvim, etc... so I downloaded the login.php.swp file and used the vim command with the -r flag to recover the file, save it to a new file and read its content, now visualizing the source code properly. We noticed it was making a comparison for the confirmation of the credentials using the strcmp function

vim -r login.php.swp 

# Inside vim
:w login.php
:q!

Answer: strcmp()

Once here, I tried uploading a script for getting a reverse shell in PHP, and it worked, but I didn't know where the files were being saved. So, to find the location, I tried fuzzing the URL to find possible routes, and after some attempts and finding the correct dictionary, I found a route /_uploaded which seemed to be the correct location. Then I went to that route and confirmed the file was there

gobuster dir -u http://10.129.93.15 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -o fuzz.txt

Answer: /_uploaded

nc -nvlp 4444

As I was a default user from the web server, I had to find a way to make lateral movement to another user on the system with less restricted actions. First, I went to explore the server files in the default folder /var/www/html finding a curious file under the /login folder named config.php, and checking its content I found a password for the admin user was being leaked

I had the credentials for a user on the website, but I was looking for one on the system, so maybe these credentials could work also there. I tried changing to the user admin but it failed, so it wasn't a user on the system. So I went to the /home folder to see if there was any folder related to another user and found one named john. Once again I tried changing to that user assuming it would have the same password, and it worked successfully

Answer: john

Answer: thisisagoodpassword

Once there, I went to its /home folder, found a user.txt file, and retrieved the user flag from its content

What was left was to escalate privileges, so I checked the sudo execution permissions for this user and it could execute the find command as a privileged user