Updated: Jun 5
Walkthrough of vulnerable machine CengBox . It is a intermediate level machine!
you can download this box from vulnhub.
IP of the target : 192.168.43.133
First of all we run nmap to find open ports and services running in the target system using the command .
nmap -sC -sV -Pn -p- 192.168.43.133
now lets enumerate the port 80 to find something useful .
That's all we have on port 80 :(
Now we decided to run dirb to find hidden directories and webpages using the command .
dirb http://192.168.43.133 /usr/share/wordlists/dirb/big.txt
/masteradmin/ looks interesting . Lets again use the dirb tool using the command
dirb http://192.168.43.133/masteradmin/ /usr/share/wordlists/dirb/big.txt -X .php
lets open the login page /masteradmin/login.php
try some basic SQL injection payload . Started ,with 1' or '1'='1'# as username and password and yes we succeed.
lets upload a .php file ( I know this will not work but my brain said : Try this )
Okay , now what is .CENG file I searched on the internet about this file extension but found nothing and after a lot of thinking ( not really) we changed the .php to .php.ceng and again tried to upload the file , and yes this time we succeed in uploading the file , Now lets visit the URL /uploads/my.php.ceng to execute our shell code
and yes we are in as user www-data. now changed directory to /home and found one user there name cengover . If we go back to our notes then there is db.php in /masteradmin/ . So by changing the directory to /var/www/html/masteradmin/ we read the content of db.php file and found some creds there.
we used this password to login into mysql and found something interesting there
we tried this password for user cengover and we are in as user cengover
we checked for user permissions but nothing and no SUID binary , now I transferred pspy64 in /tmp and after running this binary we found a cronjob.
we change our directory to /opt/ and found there a python file which is writable
we edit the file with a quick reverse shell.
And 2000 years later we got root!
and this completes the challenge!