Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this lab were:

Vulnerabilities:

The following vulnerabilities were found:

Information Gathering:

Going right to work, I used Nmap to scan for service version detection, OS detection, script scanning, and traceroute.

Image for post
Image for post
Nmap Scan

SSH Enumeration:

Detecting that OpenSSH was version 7.2, I knew that it was vulnerable to CVE-2018–15472. However, I decided not to brute force user enumeration and performed no further investigation.

Web Enumeration:

As the only other open port on the system, I launched dirb to scan the system TCP Port 80.

Image for post
Image for post
Dirb Scan
Image for post
Image for post
Default Website
Image for post
Image for post
/app/
Image for post
Image for post
/app/etc/local.xml
Image for post
Image for post
/app/etc/config.xml

Admin Panel Exploit:

Reviewing the RCE exploit, I was able to determine that there was an existence of a /admin site.

Image for post
Image for post
Searchsploit
Image for post
Image for post
Magento Admin Panel
Image for post
Image for post
37977.py Modifications
Image for post
Image for post
Executed Exploit
Image for post
Image for post
Authenticated Admin Panel

Foothold:

In effort to obtain a shell, a file system plugin was needed to be uploaded to the web site. The Magpleasure_Filesystem could be downloaded from the following site:

Image for post
Image for post
Magento Connect
Image for post
Image for post
Plugin Upload
Image for post
Image for post
Successful Upload
Image for post
Image for post
Exposed IDE Filesystem
Image for post
Image for post
PHP Shell Code
Image for post
Image for post
Modified Cron.php
Image for post
Image for post
Valid Shell
Image for post
Image for post
Python Version
Image for post
Image for post
Python Reverse Shell Code
Image for post
Image for post
Python Reverse Shell
Image for post
Image for post
Connected Netcat Listener

User Flag:

With an established shell, I needed to determine my current credentials and privileges.

Image for post
Image for post
www-data
Image for post
Image for post
User.txt Flag

Privilege Escalation:

Next up was the root flag. I decided to review the /etc/sudoers file to determine if I had the ability to privilege escalate.

Image for post
Image for post
/etc/sudoers
Image for post
Image for post
Root.txt Flag

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store