In this post, i would like to share walkthrough on Sustah Room.
This room is been considered difficulty rated as MEDIUM machine
We need to deploy the machine for us to play with the machine
Once the machine is fully up within 3 minutes, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
There are multiple ports that been open but the crucial port that caught my attention
- 22: OpenSSH 7.2p2
- 80: Apache httpd 2.4.18
- 8085: Gunicorn 20.0.4
Let’s see what will appear in the website
Nothing that we can do right now. Let’s see website that using a different port 8085
Oh wow! There’s a spin button. Let’s click that button and it ask to input a number and enter.
There’s two method of getting the number and path at the same time.
We can see that X-RateLimit-Limit have shown on the response output.
Before we proceed, we need to know that the HTTP header have the following method:
- X-Originating-IP: 127.0.0.1
- X-Forwarded-For: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Remote-Addr: 127.0.0.1
Let’s run the intruder function to gain the path and number in order to proceed
It will take some time for the result to be shown here. We can test whether the number is valid or not by slapping in the number on the input column and press the click button
Let’s go to the website path on the browser
We have Mara CMS appear on the website interface. To be frankly honest, i never use Mara CMS before and let’s google to see if there’s any exploit that we can use in Mara CMS
The first result look interesting to me and let’s see what have stored for us in the exploit
From the exploit above, I found out that we got the following information that we might be using it later on.
- Username: admin
- Password: changeme
Let’s find the login page for us to login the dashboard of Mara CMS. I will guessing the login page path over here which <IP Address>/YouGotTh3P@th/index.php?login=
An index.php page is a compulsory for mostly website appear in the internet.
Wuhuu! We got the login page which we need to key-in the username and password in order to access the dashboard.
I have a breakdown just cracking the username and password for this website.However, i just remember that we are been provided with username and password within the exploitdb. Let’s us try try login using those credentials
Let’s find a location to upload the reverse shell into the machine
Let’s click the File>New and the website interface will look like below:
It look like the website have been re-directed to http://target/codebase/dir.php?type=filenanew location. Let’s upload reverse shell on the website
Before we can go to the file upload location, we need to start listener
The website have been reloading for some time now, let’s see the listener if we got the connection back.
We have successful in the server environment. Let’s grab the user.txt in /home/kiran
As you can see, we cannot read user.txt file where the permission have been denied.
We need to look for kiran’s password and we can drive to /var/backups where we might found some interesting file there.
We can see the passwd.bak file which it might contain user and password that we needed.
Once again, the file permission have denied for us to read into. Let’s see if there’s any hidden file in the /var/backups
Oh wow! I found .bak.passwd in the folder. Let’s check what’s written inside that file
We have gotten the kiran’s password. Let’s switch to kiran privileges access
Once we have successfully login into kiran’s privileges acccess, we can access to /home/kiran.
Now, we can read the user.txt as below
Let’s enumerate more in order to access as root privileges access
We have execute some command such as find / -user root -perms /4000 2>/dev/null and sudo -l but didn’t found anything interesting.
As a result, let’s run linpeas.sh into the machine
Now, let’s execute linpeas.sh such as below:
Once linpeas.sh have completed, i did analyse the result and found out that kiran can run rsync
Let’s go to GTFOBins and search any exploit that we can use
Now, let’s execute the command that we found on GTFOBins
The command doesn’t work at all and we might need to tweek the command for it to work
And we still cannot execute it. So, let’s execute it within /var/backups
We got the bash shell.
Let’s read the root flag within the /root/ directory
Happy Learning Guys!