This is a simple box with a straight forward SQLi vulnerability, which can be exploited to upload a php-reverse shell, and then use the cronjob script which is running every minute to escalate privileges.
The box also has some rabbit holes, but nothing that will waste too much of your time.
Link to box: Plotted-TMS
Let’s start with a quick nmap scan.
I start with the following options, to get some quick idea as to what we are exploring. For this easy box, this is more than sufficient.
nmap -sV -sC -T4 -vv -Pn -oN nmap_quick 10.10.208.156
I see that there are 3 ports open, with a ssh port on 22, and the other two running a http server.
I next enumerated the http servers. I used ffuf to enumerate for the directories. Opening both the sites on the browser takes us to the default Apache server welcome page, which is not that interesting.
Port 80 http server enumeration
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.208.156:80/FUZZ
All of the above findings are rabbit holes, and will not lead us anywhere.
/admin gives us an ‘id_rsa’ file, but it has a base64 encoded string which is of no use.. as I said, a rabbit hole.
The same with the /passwd and /shadow. Let’s not waste time with more useless screenshots.
Port 445 http server enumeration
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.208.156:445/FUZZ
port 445 has some findings which will interest us.
Let’s start by visiting the obvious one, /management
I searched for “Traffic Offense Management System” on exploitdb, and found that it’s vulnerable to SQL injection attack.
Following is the exploit link if you want to have a look:
Offensive Security's Exploit Database Archive
Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated).. webapps exploit for PHP…
Further, I opened burp, and visited the site and tried to login with random credentials. I could see the SQL command in response, which confirmed that the site is vulnerable to SQLi.
Now to do some basic SQL attack. I use admin’ OR ‘1’=’1 as the username, some random password, and it automatically logs into the admin panel.
By running ffuf again on /management, I found the /management/uploads directory. I uploaded a php-reverse-shell script to get a reverse shell.
Exploit — Getting Reverse shell
I configured the php script to call back my attack machine. Uploading it is a piece of cake.
The TMS portal has no filters for the files uploaded. I selected the configured script from the computer, and uploaded it.
Next, the usual, starting a netcat listener, and opening the script.
I visit, http://10.10.208.156:445/management/uploads/1646510640_php-reverse-shell.php which opens the script, and got the reverse shell on the netcat listener.
Next I stabilize the shell, and look for the flags. We cannot yet read the user flag. We don’t have the permissions yet.
I see that there is a cronjob running as the plot_admin user. We will use this to escalate our privilege to plot_admin user.
We have permission to write to the /var/www/scripts/ directory.
I use this to upload my own backup.sh script which gives me the reverse shell as the plot_admin user.
I use the below script in the screenshot, and upload it by spawning a simple python http server.
Make sure to remove the existing ‘backup.sh’ file, and download the file described above. Remember to make it an executable.
Now open another netcat listener with the port specified in the above file. In my case, it was 2222.
I waited for a minute, and got the reverse shell as plot_admin user.
With this, we are good to read the user.txt file.
Now for the root flag.
When searching for interesting binaries, I came across ‘doas’. This is a little unusual for a Linux system. doas tool is the OpenBSD implementation of the well known sudo tool.
I check the doas configuration, and find that openssl can be run with root privilege.
Next, I went to https://gtfobins.github.io/gtfobins/openssl/ and found we can use openssl to read the files.
With that we have the root flag.