Tuesday, 7 June 2016

Milnet v1 challenge

Hello all,
Looking for our target and scanning

Lighttpd 1.4.35 is probably free of known exploits. Let's browse the web application


Something interesting? For me - no. I clicked on each links and there is nothing special.

That is juicy information! I examined info.php file and I suspect that our target is vulnerable to RFI. I noticed that (using Burp Suite Free) while sending request to the target POST request contains route parameter. I verified that there is LFI, but RFI would be more helpful for us, because if RFI occurs in the web application then we are able to use prepared script to execute via vulnerable web application.
I edited route parameter as follow
and I have got response

So I have verified that route parameter is vulnerable to RFI. Let's create our reverse shell script on our machine and execute it using route parameter.
 We have obtained limited shell! I have found in the /home directory langman subdirectory. This findings indicate that the system has langman user. There are several files.

The /backup/backup.sh looks interesting, let's check privilege the file.

Excellent! Root privileges!