Seven Layers delivers comprehensive, dependable, and cost-effective solutions tailored to our clients’ needs and budgets. We offer cutting edge defensive security strategies to provide you with the ability to protect key systems and information – and can pair those with traditional information technology services to keep your business up and running, so you can focus on the business that is important to you.

    We provide penetration testing services and vulnerability assessments for peace of mind, risk management, and regulatory compliance. And because your employees are often your first line of defense - or weakness – we offer employee education in computer security and corporate security policies.

    Our support services cover your full suite of end user desktops, in-house servers, cloud-based servers, and cloud services. This includes seamless support for employees in all locations, whether they are in corporate offices, or are remote users. We will manage and develop content management systems, customized software and web applications, as well as working with off the shelf applications.


     

    This box is described as "Intermediate" and the description states:  "Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root)."

    I'll admit, I'm getting a little worn out on the multiple web serving troll ports.  It's basically the same box recycled with a different twist.  That being said, the privilege escalation was excellent.  There are multiple entrances for a low privilege shell and I cover two. 

    We kick off with Nmap:


    Lots of open ports like the previous boxes from this author.  When we search port 80 with Nikto, we find:


    When we access it from the web browser, we find:


    Scrolling down, we find:


    Moving over to the admin page, we try admin admin :


    We're in!  I attempt to upload a shell:


    But that errors out.  When I look in the address, I see what could be SQL Injection:


    Mind you, this is a deviation and it goes nowhere but if you want to play around with it, this is how it starts:


    We capture the post in Burp and we insert it into a file.  We fire up SQLMap:


    We find a database:


    Let's enumerate the database:


    We find a table and we get the column info:


    Let's dump the table:


    And we find what we already know when cracking the hash, the username is admin and the password is admin.


    Circling back -- looking at the format of the pages, I guess that maybe admin_edit.php exists:


    I attempt to upload a shell:


    When I try to add it:


    We get an error. 

    Meanwhile, I'm brute forcing SSH and I find:


    That's our first in, I'm not sure that was intended.  We SSH over to the box:


    As I'm hunting around the various web servers, I find:


    I think this was probably the intended entry:


    We upload our shell:


    Note the location of the file but recognize that it's NOT on this web server, it's the server running on port 8715:


    With our handler setup:


    Getting in as www-data buys us nothing.  Back to katana, I search for files with capabilities and I uncover:


    Which leads us to:


    With Python2.7, we can execute a shell for root.  We get the flag and it's game over!  I really like the privilege escalation, that was solid.  Took me a bit to figure that out because it doesn't show up on privilege escalation scripts -- or at least those I ran.


    Cybersecurity solutions for small businesses.

    info@sevenlayers.com
    877.468.0911

    © 2021 Seven Layer Networks, Inc. | All rights reserved.