Hi all, this one was a tricky one. Let’s pwn it!
You can find the machine there > Tre
Let’s start as always with a nmap scan.
1 |
|
Let’s start the enumeration with port 80, this time we will use the raft wordlist.
1 |
|
/mantisbt
seems interesting, let’s run gobuster
on it.
1 |
|
/config
sounds interesting, let’s dig into it. When we visit /config
we can see this .txt
file :
This .txt
file has some database configuration data.
1 |
|
We can use them on /adminer.php
After we can see there the mantis_user_table
, this table has some creds in that we can use them on ssh.
And we’re in!
1 |
|
Now privesc, its a bit tricky! Took me a while to figure it out.
If we check sudo -l
, we can see this :
1 |
|
We can run /sbin/shutdown
as root, hm.. shutdown
system binary shutdowns the system like poweroff
useless right ?
If we run file
on it we can see this :
1 |
|
shutdown
has symlink to systemctl
:
1 |
|
With systemctl
we can start/stop/restart a service!
1 |
|
If we run now pspy we can see this :
1 |
|
Every 1 second this file executed as root & we can edit! The content of this file :
1 |
|
This file checking when service started, we can add our reverse shell in & when we execute /sbin/shutdown
this will execute /bin/systemctl
and we will start the service so we will get a root shell!
1 |
|
Let’s execute it now!
1 |
|
Before you boot the machine again open a nc
listener.
And we have root shell!
1 |
|
What a box :), See you!