Tuesday, 7 June 2016

Milnet v1 challenge

Hello all,
Looking for our target and scanning










Lighttpd 1.4.35 is probably free of known exploits. Let's browse the web application









 







Something interesting? For me - no. I clicked on each links and there is nothing special.
Dirb






That is juicy information! I examined info.php file and I suspect that our target is vulnerable to RFI. I noticed that (using Burp Suite Free) while sending request to the target POST request contains route parameter. I verified that there is LFI, but RFI would be more helpful for us, because if RFI occurs in the web application then we are able to use prepared script to execute via vulnerable web application.
I edited route parameter as follow
route=http://www.google.com/?
and I have got response






















So I have verified that route parameter is vulnerable to RFI. Let's create our reverse shell script on our machine and execute it using route parameter.
 We have obtained limited shell! I have found in the /home directory langman subdirectory. This findings indicate that the system has langman user. There are several files.















The /backup/backup.sh looks interesting, let's check privilege the file.





Excellent! Root privileges!
TBU