I saw a few people mention DIGITALWORLD.LOCAL: FALL on the VulnHub discord so thought I would give it a go.
A few here; mostly for distraction I guess?
- SMB (139/443)
- MYSQL on 3306, and
- Cockpit on 9090
I checked that mysql wasn’t accessible and there was nothing on the SMB server:
And having established that was boring, moved on to…
The website is running CMS Made Simple v. 2.2.15 which has several known exploits including SQLi and RCE but both require authentication, which we don’t have. One of the posts on the blog says:
Fellow administrators, stop polluting the webroot with all sorts of test scripts! This is production for heaven’s sake!
So, let’s fuzz for those?
Right, we’ve got test.php. What can we do with that? It says:
I fuzz it with Burp Turbo Intruder, initially with:
GET /test.php?%s=id HTTP/1.1
The parameter name file returns a 200 OK so I try
GET /test.php?file=/etc/passwd HTTP/1.1
This works, and we appear to have one user; qiu. It’s not too simple is it?
GET /test.php?file=/home/qiu/.ssh/id_rsa HTTP/1.1
Actually yes, we get the SSH private key.
Our user is a sudoer, and has left his password in his .bash_history, so it’s game over:
Pretty straightforward if you dodge the rabbit holes.