nmap scan reveals that port 22,80 and 1337 are open.
Port 1337: Here we get a hint we can use during the exploitation in port 80
netcat and answering the questions gives us the username and password we can use to login into the IPAM system.
Using the credentials found previously, login to the IPAM system.
On the bottom of the screen, we can see that the phpIPAM version 1.4.5 is running.
Searching for the exploits on exploit-db, I came across the following: https://www.exploit-db.com/exploits/50963
However, even though using this exploit says we have a shell, it really does not work. After tampering around a bit, I remembered the “backward compatibility” mentioned in the box’s introduction. With this, I tried the exploit for version 1.4.4: https://www.exploit-db.com/exploits/50684
Hence, I setup a burp proxy to get the request and then use
Setting up burp proxy:
Under the “Proxy Listeners” add a new listener and choose a port and redirect it to out target machine.
Now run the exploit to capture the POST request.
Even though the exploit doesn’t do anything, I copied over the post request to a text file, and modified the ‘subnet=’ value to add a *, so can use it readily with
sqlmap shows us that the application is vulnerable to SQLi.
Getting reverse shell is easy using
sqlmap. I uploaded the php reverse shell script to
/var/www/html/ location, and started a
netcat listener to get the reverse shell.
sqlmap -r req.txt -dbs --file-dest=/var/www/html/reverse.php --file-write=./reverse.php
Opening this file in the browser (
http://<target_ip>/reverse.php), should give us the reverse shell on the
After stabilizing the shell, we can elevate ourselves to “ollie” user using the same password we had found before.
From this, getting the user.txt is a straight forward task.
Privilege escalation to root
After running the linpeas and digging around, the best way to elevate the privilege to root, is using a the “feedme” script which is running as root, and the ‘ollie’ user has the rights to edit it.
This can be found using pspy. I downloaded the pspy64 binary and uploaded it to the machine.
Next, I find where this file is, and see the permissions. As said above, we can edit this file.
I use vim to edit the file, and add a bash reverse shell code to it. Then start a
netcat listener to get the root shell. It takes about a minute, and if everything is write, we will have the root shell.
After we get the root shell, I get the flag in the root directory :)