In this post, i would like to share walkthrough on Sustah Room.

This room is been considered difficulty rated as MEDIUM machine

Let’s Start!

We need to deploy the machine for us to play with the machine

Once the machine is fully up within 3 minutes, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

There are multiple ports that been open but the crucial port that caught my attention

  • 22: OpenSSH 7.2p2
  • 80: Apache httpd 2.4.18
  • 8085: Gunicorn 20.0.4

Let’s see what will appear in the website

Nothing that we can do right now. Let’s see website that using a different port 8085

Oh wow! There’s a spin button. Let’s click that button and it ask to input a number and enter.

There’s two method of getting the number and path at the same time.

1st Method

We can see that X-RateLimit-Limit have shown on the response output.

Before we proceed, we need to know that the HTTP header have the following method:

  • X-Originating-IP: 127.0.0.1
  • X-Forwarded-For: 127.0.0.1
  • X-Remote-IP: 127.0.0.1
  • X-Remote-Addr: 127.0.0.1

Let’s run the intruder function to gain the path and number in order to proceed

It will take some time for the result to be shown here. We can test whether the number is valid or not by slapping in the number on the input column and press the click button

Let’s go to the website path on the browser

We have Mara CMS appear on the website interface. To be frankly honest, i never use Mara CMS before and let’s google to see if there’s any exploit that we can use in Mara CMS

The first result look interesting to me and let’s see what have stored for us in the exploit

From the exploit above, I found out that we got the following information that we might be using it later on.

  • Username: admin
  • Password: changeme
  • http://target/codebase/dir.php?type=filenanew

Let’s find the login page for us to login the dashboard of Mara CMS. I will guessing the login page path over here which <IP Address>/YouGotTh3P@th/index.php?login=

An index.php page is a compulsory for mostly website appear in the internet.

Wuhuu! We got the login page which we need to key-in the username and password in order to access the dashboard.

I have a breakdown just cracking the username and password for this website.However, i just remember that we are been provided with username and password within the exploitdb. Let’s us try try login using those credentials

Let’s find a location to upload the reverse shell into the machine

Let’s click the File>New and the website interface will look like below:

It look like the website have been re-directed to http://target/codebase/dir.php?type=filenanew location. Let’s upload reverse shell on the website

Before we can go to the file upload location, we need to start listener

The website have been reloading for some time now, let’s see the listener if we got the connection back.

We have successful in the server environment. Let’s grab the user.txt in /home/kiran

As you can see, we cannot read user.txt file where the permission have been denied.

We need to look for kiran’s password and we can drive to /var/backups where we might found some interesting file there.

We can see the passwd.bak file which it might contain user and password that we needed.

Once again, the file permission have denied for us to read into. Let’s see if there’s any hidden file in the /var/backups

Oh wow! I found .bak.passwd in the folder. Let’s check what’s written inside that file

We have gotten the kiran’s password. Let’s switch to kiran privileges access

Once we have successfully login into kiran’s privileges acccess, we can access to /home/kiran.

Now, we can read the user.txt as below

Let’s enumerate more in order to access as root privileges access

We have execute some command such as find / -user root -perms /4000 2>/dev/null and sudo -l but didn’t found anything interesting.

As a result, let’s run linpeas.sh into the machine

Now, let’s execute linpeas.sh such as below:

Once linpeas.sh have completed, i did analyse the result and found out that kiran can run rsync

Let’s go to GTFOBins and search any exploit that we can use

Image for post

Now, let’s execute the command that we found on GTFOBins

The command doesn’t work at all and we might need to tweek the command for it to work

And we still cannot execute it. So, let’s execute it within /var/backups

We got the bash shell.

Let’s read the root flag within the /root/ directory

-THE END-

Happy Learning Guys!

By Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *