Lazy - 10.10.10.18
Ports / Services / Software versions running
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Authentication bypass to gain access to web application
Executable file with weak permissions
Exploiting the host:
Visiting the web application
Cant create an admin user as already exists
Create a new user with the name admin= and we discover an ssh key.
Download key with wget and change permissions then login with the ssh key
Unusual file called backup in home dir which reads the /etc/shadow file
Strings shows us it uses cat
Create a file called cat in the home dir with the contents:
Make it executable with
chmod 777 cat
Export the path to the users home dir so it picks up the malicious file cat first.
Execute the file to get root.