TryHackMe: Ollie

Nmap scan resulting 3 open ports

Port 1337 is strange and i think it might be our entry point, so i tried to interact with it using netcat like so.

Got prompted some question and then it give me a credentials, let's check the web.

Using our credentials we got before for login and i got redirected to the dashboard.

Look at the bottom of the page there is a name and version of the CMS, let's search for some already exists vulnerability online.

I found script to gain RCE for version 1.4.5 and tried it but it seems didn't work so i found another interesting article here.

Go to this url: "http://10.10.39.10/index.php?page=administration&section=routing&subnetId=bgp&sPage=1" and then click action and subnet mapping and look at the search input, we can inject SQL here.

Using PoC payload from fluidsattack and it works perfectly.

Since we already log in on the CMS, i think there is no reason to dump the database, so i think we can gain RCE here.

First we need to check the user permission, is phpipam_ollie (our current user) have permission to write?

Y means Yes, we can write a webshell here.

The hex above is a PHP code.

Execute the payload above and let's make request with it.

Using encoded payload we can gain reverse shell here

Since we got user Ollie here, let's try to privilege escalation to Ollie using password used before for logs in to the web.

It works!

Then i grab pspy64 and run it.

Found an interesting process, feedme ?

Weird as f*ck, it's owned and running by root but since Ollie is on the group we can freely write to it. Let's gain root shell.