Machine IP →
Nmap scan →
nmap -A -Pn -p- -T4 -o nmap.txt 192.168.244.138
OS Detection →
OS: Linux; CPE: cpe:/o:linux:linux_kernel
|Port||Service||Other details (if any)|
|22||SSH||OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)|
|80||HTTP||Apache httpd 2.4.10 ((Ubuntu))|
GoBuster scan →
gobuster dir -u http://192.168.244.138 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
Directories/files listed →
- icons/ (403)
- administration/ (403)
Without much information from the web scan, the possibility to look at headers was apparent. Adding the
X-Forwarded-For: 192.168.244.138 header allows loading of the internal
/administration/ directory. The header needs to be added to all subsequent requests via burp intercept.
This directory has a login page which does not have SQLi type injections, however, default credentials of
admin:admin work. The dashboard of the application gives the ability to upload a file, list users or log out. The
.../users page does not list any useful information.
Note: There was a spelling error in the links, which needed to be modified to get correct response.
The interesting part was the upload functionality. It could be used to upload a reverse shell. However, the application does not directly allow php files. Bypassing this was checked by renaming the file and adding image headers to the content, but it didn’t work.
The thing that worked was modifying the
Content-Type header to
image/gif. This allowed the upload of the reverse shell along with the path of the uploaded file. Navigating to the file grants a shell as the
www-data user over netcat. This also gives the user flag.
/etc/passwd file, the users of importance are
/home/ directory contains a file
user.txt file which has a base64 encoded string
Decoding this gives the credentials
yousef:yousef123. Using this with ssh gives the shell as user
sudo -l capabilities of
yousef, it shows that
yousef may run any command as root using
sudo su grants the root shell and thus, the root flag.