Compromised is a Linux, hard box is a created by D4nch3n, Initial foothold was finding the backup and finding credentials for litecart and using that we can upload arbitrary file. using that we can a upload a MySQL php client to run queries and checking
UDF functions. and checking
passwd we found
bash shell. using the exec_cmd we can write our
authorized_keys and ssh on the box as
mysql. Enumerating the box we find a
pam_unix.so Reverse Engineering that we get a password using that we can
nmap -sC -sV -oN nmap/compromised 10.10.10.207
# Nmap 7.80 scan initiated Sun Sep 13 00:37:44 2020 as: nmap -sC -sV -oN nmap/compromised 10.129.11.18
Opening the page we see that this is a litecart
Lets run gobuster on the root and do manual Enumeration on the side
just trying here and there we find a admin login
So we know we need to find some credentials to login at this portal.
Looking at gobuster result we find
/index.php (Status: 302)
in which backup seem most interesting so lets take a look at that.
backup contained only one file i.e
Downloading and un-archiving it we see it is a backup of
shop(litecart) so we poke around for information-s
admin/login.php we find a find for some password as
Following that hint and checking the web we find a credential as
using that on admin login, we see we can login.
One interesting info we find is the litecart version to be 2.1.2
Coming back to backup dump we find another very interesting file as
.sh.php which is a backdoor checking that on the we server we are able to find it but unable to execute anything.
Checking searchsploit we see a
Arbitrary File Upload is present for this version of litecart
Using that we upload a shell again but we face the same issue again not able to execute any command.
so i modified my payload to upload a
uploading that and checking we see lot of php system related functions are disabled
One thing we can do is think of a way to bypass that or look at some other things.
In the dump i had also found db credentials as
So I wrote a simple php to run any query i pass it
And remembering that the server was previously compromised and there might be a backdoor left.
So i was looking and checking mysql.func
SELECT * from mysql.func;
we see an interesting function
exec_cmd testing if we can run command via that
Checking passwd for mysql we also see
mysql user have bash shell attached to it.
Trying reverse shell didn’t had any success and was blocked by firewall
So i wrote a ssh-key to
auhorized_keys and was able to ssh to the box as
and using that i was able to get a shell on the box as
Enumerating the box as
mysql we find some interesting file as
Downloading that and Reverse Engineering it we find a backdoor credential as
using that and
su root and get a shell and we can grab user and root flag.
I was also looking in bypassing the disable_functions and was able to do that using exploit