Hi all, that was a really easy box.
You can find the machine there > CengBox1
Let’s start always with nmap.
gobuster on it!
So the interesting directories are :
But all of them give
Forbidden, let’s run
/masteradmin for further enumeration.
SQL Injection Authentication Bypass - Shell as www-data
Here we go
/login.php asks for credentials :
I tried the classic ones
guest:guest but nothing, so i decided to exploit this manually without using sqlmap.
The source code will be something like :
So here takes the user input and put it into the SQL query. So here we can see the query is quoting the input with single quote, that means we have to use a single quote to close the first quote and then inject our payload.
And we’re in! :D We can see this upload form :
Let’s try to create a simple php script to see if we can execute php code.
When we upload it we can see this error ->
extension not allowed, please choose a CENG file. Alright, let’s rename our
Now it says :
Success & we can find the file under
Now let’s simply upload our shell as
CENG file :)
We have shell, i’ll show you some tricks for fully interactive reverse shell.
www-data -> cengover
Now we can see this inside
Let’s connect to mysql and search for credentials.
Great, let’s use this password with the system user
cengover -> root
Perfect, now we need to transfer
pspy to detect a cronjob.
This file runs as root :
I discovered a new trick, instead of using a reverse shell or something we can simply change root password. Add this :
And now we can login in as root :
Let’s read the flag :
Fun box :)