Let's start the machine and start some basic enumeration.
While our scans are running we can paste our victim machine's IP into a web browser. We are greeted with an Apache2 Ubuntu Default Page.
The first sub-directory hit from dirb is "/content". This landing page indicates that there is a SweetRice CMS service.
Our nmap scan has finished and indicates that there are two open ports, 22 (SSH) and 80 (HTTP).
Dirb has found two more interesting directories: "/content/inc and /content/as".
We have a SweetRice login form and some interesting files.Taking a closer look at "mysql_backup" we have a .sql file we can download to our machine for enumeration.
If we take a close look at the output we can see a username and a MD5 hashed password. Making a quick stop at crackstation.net we can grab the password.
Trying these credentials back on our SweetRice login we're able to log in. Notice the current version is 1.5.1.
Let's do some research to see if there are any quick exploits for this version of SweetRice.
Run "searchsploit -m 40700.html" to copy the exploit to our current working directory. If we open the HTML file in a text editor we see that there are a couple values for us to change and a section for us to insert our own PHP reverse shell code into.
Copy the PHP reverse shell from: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php. Then, insert the code into our exploit. Don't forget to add your IP address and change the URL in the exploit to work with our box!
Before running this exploit, let's start a nc listener. "nc -nlvp 1234".
Once we run the exploit, navigate to the page in the comment.
Now let's see if we can upgrade this to a fully interactive TTY:
In reverse shell:
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
In Kali:
stty raw -echo
fg
In reverse shell:
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <num>
Now that we have a fully interactive TTY let's perform some enumeration in order to find the user flag and to escalate our privileges.
If we run "sudo -l" we can see what files our current user can run as sudo.
Further inspection of this file reveals this script runs the following command:
Running "ls -la /etc/copy.sh" we can see that we have write permissions for this file. As luck would have it, it already has a reverse shell in it's contents, so we simply add our attack box IP and port that are new nc listener will use.
