January 7, 2022•394 words
At first, after a basic scan, there is only a 12340 TCP port open and SSH on 22. Connecting to it using netcat reveals this is an Apache 2.4.6 webserver, running on PHP 5.4.16.
Using a directory scanner, we find out there is RMS installed on the webserver.
In our manual scraping of the website, we can notice that, once we create an account, we get a sample message from an account called "administrator", and in the Contact Us section there is an email address that is registered to the domain pathfinderhotel.com, so maybe we could try to brute force login credentials for an email@example.com.
In the meanwhile, checking the software RMS, there is an unauthenticated RCE available, allows to upload a webshell in PHP, so I used that and launched a reverse shell to start enumerating what is on the box.
We can see there is an edward user by checking the /home directory, and we can also see some DB credentials reading the config.php of the RMS web server. Using those credentials we can check the content of the DB running on the local machine. In the member table of the dbrms database we can find some credentials, including a hashed password for an edward zeno user. The hash is MD5, we can crack it and retrieve the password required to escalate our current shell to the edward user.
But this is not our lucky day, as the hash is not easily cracked. We need to run a privilege escalation checker now, hoping for some privesc suggestion.
Linpeas suggests we have write privileges over a service, which might be useful later on, but also suggests that there are passwords in /etc/fstab, which is true for a zeno user. The password, however, seems to work for our edward user as well, so here we get our first flag.
We can now run linpeas once again, and go along with our usual privesc checks. We can run reboot with sudo, we might exploit that writable service linpeas showed us before. If we modify its ".service" file and we include in its ExecStart:
/bin/bash -c 'cp /usr/bin/bash /var/tmp/shell && chmod +s /var/tmp/shell'
we can then reboot the machine as sudo and once it's up again we can login as edward and launch our suid shell to act as root, job finished.
Merry hacking ;)