So far you have learnt so many tricks in the Linux privilege escalation series. I didn't find enough examples for sudo. Keeping that in mind, here I am writing a walk-through on a web-to-root machine provided by vulnhub
I would recommend you first try out this machine – https://www.vulnhub.com/entry/hack-me-please-1,731/
I will leave the tasks to import the machine and find the IP using the Nmap ping scan for the netdiscover tool.
In my case machine, IP is 192.168.87.140. I am using Nmap to scan for open ports and running services on the machine
nmap -sV --min-rate 1000 192.168.87.140
This scan showed two open ports 80 and 3306
Since I couldn't find anything via directory busting, so I mind looking for information in the static assets and luckily find a path
On checking the path on the web at http://192.168.87.140/seeddms51x/seedms-5.1.22/ I found a login panel of the SeedDMS application. Since in the description it's clearly mentioned that brute force is not required and I still have to check for MySQL.
I found from the repository where exactly it stores its settings and configuration and confirmed using directory busting
gobuster dir \ -u http://192.168.87.104/seeddms51x \ -w /usr/share/wordlists/rockyou.txt \ -edrf \ -x php,html,cgi
Yes, the directory is /conf and the name of that file is settings.xml. Download the file using curl and hunt for db configurations in it
curl http://192.168.87.104/seeddms51x/conf/settings.xml -sL | grep -i db
Login to the MySQL using credentials from the above step
mysql -u seeddms -pseeddms -D seeddms --silent -h 192.168.87.104
There I found two tables that have users string in them –
tblUsers. Since I was not able to crack the password, so I have updated the password of the admin user
-- md5("test") = d8e8fca2dc0f896fd7cb4cb0031ba249 UPDATE tblUsers set pwd='d8e8fca2dc0f896fd7cb4cb0031ba249' where login='admin'
This time I have managed to login the application successfully as admin using admin:test credentials
On searching for exploits, I found that the current version of this application is vulnerable to arbitrary file upload. This is a good start, I can upload my web shell and get reverse meterpreter
Now I have to create the reverse shell payload from msfconsole and upload to the application
Now upload the shell file and obtain the document id
The URL of the uploaded shell might be different in your case. When I was exploiting the application, in my case it was http://192.168.87.140/seeddms51x/data/1048576/4/1.php
On running visiting this URL, immediately I got reverse connection and was able to obtain an interactive bash shell on the system
While checking /etc/passwd for user enumeration, I found that there is a user which we encountered earlier in the MySQL table.
Since I am not on an actual tty session, so I used the python pty module to spawn a pty session
# https://netsec.ws/?p=337 $ python -c "import pty; pty.spawn('/bin/bash')"
I found that login was vulnerable to password reuse and managed to log in via
saket user and the password from MySQL. Later I found the user has configured to run any command as
ALL users via sudo. You can now use the command
sudo bash to get the shell with root user permissions
If you want a refresher on sudo misconfigs, I have already published the posts – Understand Sudo in Linux and Exploiting Sudo Misconfiguration to Get Root Shell
NOTE: To log into any system user, you need to get the prompt from askpass utility which rely on pty or tty session