Skip to content

Latest commit

 

History

History
75 lines (51 loc) · 2.07 KB

2023-10-19-Proving_grounds_Practice-Payday.md

File metadata and controls

75 lines (51 loc) · 2.07 KB
title layout date tag writeups hidden author description
Proving grounds Play: Payday
post
2023-10-19 02:00
CTF
Offsec labs
OSCP
Writeup
Linux
PG-Practice
RCE
true
true
Naveen
Offsec proving grounds practice linux machine writeup

Nmap

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
993/tcp open  ssl/imap    Dovecot imapd
995/tcp open  ssl/pop3    Dovecot pop3d

80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)

Directory Search

img

Admin login

http://192.168.195.39/admin

Credential: admin:admin

CS-cart software is vulnerable to Remote Code Execution.

Rename the pentest monkey php reverse shell to .phtml file and uplaod it to the template editor menu as new template. Direct the below url to trigger the reverse shell.

http://192.168.195.39/skins/shell.phtml

img

Initial Foothold Obtained

Privilege Escalation

Upon recon it was found that there are 2 users in the system which are patrick and root.

Brute forcing the SSH credentials for the user patrick using hydra have failed and as an alternative used ncrack to crack the password.

Credential: patrick:patrick

img

Note: Always try to login to SSH using password as same as username.

Upon recon it was found that the user patrick can run ALL, run sudo su to obtain root.

img

Root Obtained

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.