As you see I decided return to LAMP Security series. So, now it is the time for CTF6.
There are a lot of open ports: 22 (ssh), 80 (web), 111 (RPC), 443 (web), 635 (RPC), 3306 (MySQL).
For me interesting is why the server has open 80 and 443 ports both. Let's browse the web application and display source code
Hmm, these users may exist as system user our target, who hnow?
The Home Page
Good, we know also that exist admin user, the application serve also webmail. The web application probably also is associated with Liquid CMS, but we don't know which version.
I have clicked on the link Read more and I have got
/index.php?id=4I have verified that id parameter is vulnerable to SQL Injection. But let's still penetrate the web app.
I was trying SQL Injection in the login panel in the URL
/index.php?action=loginbut without success, so let's come back to our SQLi in the id parameter.
Good, going deeper we have found
Excellent! Let's log in as admin to CMS.
Good, I have uploaded the test.php file with phpinfo() function to conduct Proof of Concept and
Executing the test.php file we have got good news for us
So, we are pretty sure that we are able to upload PHP backdoor let;s do that
PS. We could also get limited shell via phpmyadmin (credentials which has been retrieved using SQLi are root:mysqlpass).
uname -agives us juicy information about for example linux kernel version. I have found an exploit on it and
Game over!
