Europa

Europa - 10.10.10.22

Target Enumeration:

OS: Linux
IP: 10.10.10.22
User: 2f8d40cc05295154a9c3452c19ddc221
Root: 7f19438b27578e4fcc8bef3a029af5a5

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))

Vulnerability Exploited:

SQLi Authentication bypass

Privilege Escalation:

Misconfigured cronjob

Exploiting the host:

Nmap
SSL certificate gives us a new domain so update hosts file:
Visiting the site gives us a login page.
Capture a login with burp and send it to the intruder to be fuzzed for sqli
Can bypass the login with an sqli payload:
Request this payload in the browser and we are logged in
Under the tools tab you can generate a VPN config file so test it for command execution.
Eventually we found it is vulnerable using the following command:
Successfully hitting our server:
Generate a php reverse shell with msfvenom and host it in the webroot
Generate a reverse shell with nc and URL encode it.
Shell spawned on 443
Another misconfigured cronjob
Inspecting the file shows us that it is executing another sh file located in /var/www/cmd/
So create the file and wait for it to execute
Now we have a root shell and collect our flags