Name: KB-VULN: 3
Release Date: 03 Oct 2020
Difficulty Stated: N/A
Difficulty I found: Beginner
OS used: KaliLinux 2020.3
Things you can learn from this VM: Enumeration, Directory finding, SMB anonymous login, Zip cracking, SiteMagic CMS vulnerability, EDB-ID:48788, PHP shell upload, Privilege Escalation, Reverse shell
As always we will start from NMAP
Successfully logged in as anonymous user on SMB.
Downloaded the website.zip archive, since it was password protected we Used fcrackzip to guess the password.
Extracted all the files using password = porchman
Got user credentials, tried these credentials for SSH but failed. Ran gobuster to find any meaningful directory, but still no success.
Next, started reading/reviewing different files extracted from the website.zip folder. Inside the install.php file I found a Github link, which showed some kind of SiteMagicCMS.
Tried adding “sitemagic” to the IP of this machine which is 192.168.10.7 and successfully got a webpage.
Found a vulnerability EDB-ID:48788 of SiteMagicCMS as shown below.
Logged into the admin panel with the above mentioned credentials & uploaded my php-reverse-shell to webserver.
Access as low privileged user & reading the user flag.
Next, I downloaded & ran this script for finding any SUID binary (great script, works wonderfully with Python)
I found /bin/systemctl as SUID binary
The method posted on GTFO didnt’ work for me, so I created a new file myshell.service with following contents in /dev/shm directory. Pl replace the IP and PORT details with your own.
Next, I ran following commands (make sure you use absolute path)
Got reverse shell as root user.