# Inception ## Inception - 10.10.10.67 ### Target Enumeration: IP: 10.10.10.67 User: 4a8bc2d686d093f3f8ad1b37b191303c Root: 8d1e2e91de427a6fc1a9dc309d563359 ### Exploiting the host: Nmap

Squid is open so may need that later Dirb brought back nothing useful Very long page source on default website and at the bottom we find :

Checking the /dompdf location we find a version and an applicable exploit ![](https://lh3.googleusercontent.com/tCqPViTmAI8Op6Iy_uQwFsMJv76i7kWfiBezW9Xf-jP8eEfsdoG0L7nPqufYOa7WVsy6T9w-_up78W5Hi8sjVzfS5OMAdKmOQ_M6rfnPfMnE8xxZNEdGVMikGYBCYBc9s1ALUaTL) Looks like we can read files from the filesystem: Build the following request and request it in burp ![](https://lh4.googleusercontent.com/PZrmtD9lAnkXXLX6jqQGsG-f8YDE_TG7ln1B166WBw6SIxqMss4g3shid1-N8EgZHBdXu5Mi4Ld6Wr-pF6qbL-28HjV80koBOq4QZ2wKOp7f-xSo0yG2TC4NEWu6dcG1jxrJozL3) Decode only the base64 string Now we have a user and the etc passwd file. ![](https://lh3.googleusercontent.com/GsmMFS2VucpTzptyi2iluNqBbgSdHLPghRbwV51YK5zCXt6kjlvtMexEwhJ_gVHpAgnREvet4IClM_uM1BvvAph2-uGbcnHRUjk1GpiQzOYHA2xmxrt9AMkp6YKFgnVF5TXLd81z) Search around for interesting files: Ensure you decode the results ctrl + shift + b

Grab the webdav passwd ![](https://lh5.googleusercontent.com/eKA1mD5KVllqJXgnbxOrgpufqFZbV1U9ceAb5PFM_qA_NjBiHTrhukR3Lr3Ms-cw2oyeon_8gpb6JrTPV3WAnjCHCfAdhxal6PYwTiyDecAQKfNBbQBP6mxhFFfKQeSl2Cx3Jnyv) Crack that with john ![](https://lh4.googleusercontent.com/X-kOp8_KE4V69qrOHWHXccMHY7V9PmG4ZBttk8GfolxGK4hYR8KOcR64B9BhLnH7ZsOayqdoMb4S53UQCZPHECFQYrRtbSv-0gXsARm2RNExn7sojsRJhbzW4grFJpPqmvaXrFGH) Now we need to find the webdav dir so check the original file:

Now cadaver to webdav\_test\_injection We can upload a shell but cannot access it unless we are authenticated. Try to use squid to access the file remotely which does not work, instead upload a php reverse shell and a simple backdoor just incase we cant get a shell back ![](https://lh3.googleusercontent.com/JJ4k2ed4s3CPKdCl3Rr98lAi29K8fh-xQ_1Ps2uc80l1HFf0W27DZvi7yVXpdKCLCBk0_qqi7v9QynZORuJZ2LOAoW6Q2fM66chYSEnCHF07WgUZCQIHkI981VoCacKC3lHj0Ra5) The reverse shell does not work but the simple one does. Now we have command execution: ![](https://lh5.googleusercontent.com/3DAWCZoJkyBjKn9tkKKsHyY163phHnqHuD-SRipHVbN8MO3cxNUinsf5FBt2dHLjUZDWFqUMrLtkgwmCuzhIprDQVM4HRZy3Zt8W9bPngK30jwcirl-tqIC6cGkQST338-j3y6d_) Enumerating the system we see that ssh is open ![](https://lh3.googleusercontent.com/c6XMPDdZBscDRiquVe-HJ0Qxbe5cC3yvLSFsphVYtjdHlBJb8XsFVKRXAl508VngG4yrnVvCGTjbGKKh0DUeovX4dNlihYMIvuWo0seMn__vBSZY8VDwWTarPPyb2jYypFPM8oyb) Not possible to get a shell back at this point which suggests a firewall stopping outbound connections so sent this command over to the repeater for further enumeration. Seeing as we cannot use wget etc to upload/ download anything upload linenum via cadaver and execute with our simple php shell ![](https://lh4.googleusercontent.com/6OXdGZAZ24UnPfYGAuS42ygwPB2UlQ5Vc0NrO4cnbRR2Z6EFvD4K5WCZDbegJA0eNsC5JU8yi7yvYymLGWpvxKW633Zmm-n71XrLLgsEOEstHz-dT2iNi-kmC5K-SpEB5_G6iMDm) Script has run ![](https://lh6.googleusercontent.com/hdGm8qYDXlP79Ksre1YRzcFJ9FwyltWcvagzuOxQChTWHCMHHWN0OIfJJypPPwUcPvabzsiLGmYeZ-gyi14J8STXfKMIfuJ4Pif0JGin0clZjR-mx10tmNeuj0fOYA37ayYGJ23V) WP config looks interesting ![](https://lh3.googleusercontent.com/2o0ZLmLixcdORiBlJlwrSy1kPx7EucHjdW6cB568O9QBuRQFF31M38LrR89t7i5yCP-OBK4mh9lxAyDvtnNDZUPzBu6c7nIy6uK94oJ7hcNRl7z5mpDEXQ9JGOY6KXkAtk8sRMQC) Read this with the LFI we found earlier. ![](https://lh5.googleusercontent.com/FWZiusuQdiMZkneHzewtoKxooUR7ox7Hb4sUJDcrzAEAAYGcu8x4d6Pul_9tbZX75arp793HrHwEXwwktJ9ppCeP_vXCqIaIULLlTyJAqxYPrAA6adRaAchEgKRf75s7XAlbjt46) Now we have a mysql password but no mysql running. VwPddNh7xMZyDQoByQL4 Port 22 is open locally so perhaps we need to access that via squid proxy: Configure proxychains as follows:

Login with the credentials you have found ![](https://lh5.googleusercontent.com/wx6vd41KW-4lCBL9WoZL93RO6IxRXmI11D1YqpHDF1Ed23IdPJ0abId4mP2ti-Rkih9Sz1j6vz86-yHU_zPAOp5eDG8hWJAPorHQQ8PuC5JZiXlg44XsKVYwEI_GRQU1G0gnA5Zb) Sudo su gives you root with the same password However the root flag is hidden. Looking at the ip tells us we may be inside a vm ![](https://lh6.googleusercontent.com/6_BTt4SJIcCG3wNXpR2GjNFOZ-FsNZOZLqFX-1FkmmiBiAnlaHUZttUFVmPgoy345BnRdXi53PHBOMQnweNxqRvGCIvnDJKs7U_5jGnNUOBnajUdTmf5_1aYb_kxts862org3af5) Find the gateway and scan it with Nmap which reveals tftp is open. ![](https://lh6.googleusercontent.com/nit3v0sCUc6flTf1OHmLCacocVB0RlYsIRuae_syy_qM_Ux8zbi6y4akVz_YFzqQAdCiYqcrnMqQl3aefejlK258NFCr_TG_mR6x2Ul2T5SDc5rQW9vweh6qXqOLQv0HZDD-vrB_) Upload all of the following scripts via tftp to the gateway and wait around 5 minutes to get a proper shell on inception ![](https://lh3.googleusercontent.com/btEH-tdN2DPaRhw-UcLoj7RpmbEb5mpaHacZppDZqu82tDrR99wIRpLdot_U_lLVKMtepA2QrXD9V_EkF6UhZUgWveHGaK4VbJPVWWsSM16EJeB04Mhey_7UCEiladW_w0J_Z8He) Script.sh ![](https://lh5.googleusercontent.com/Ku2hkBqt9ZW1jG9FpLFqOgQP6QBHUfSSWlR5LouHkpyr9eaDQ8ne1UXYGkx5T8yNzXKDZ8ZXYdzjXa1UMY7wFmzM7kiHJh4rb2tDzCK5XyAni2UjjnnOC-1asTrOdza4nGux9Ymh) Waiting for the new crontab to run: ![](https://lh6.googleusercontent.com/jV8K5nTJNsXYdcVoCm4UwEFAulzS4b2CXNO9tO4enWjNy8Te0JdV1Pnbmxpi3PeNst9jwpLDsOfQxF6zmZmB9ec2v9mHbymnSsBzzW-PW_IjCKzmPxy7QoojckDP7-NgFP3lYsMH) Collect your flag ![](https://lh4.googleusercontent.com/uTARjo5sTl3TRTJNbC_Od0A-9-17Qdtzbd9kSyiZl6ObWBEdQVWYHxHx7W6bJFoRWAcG24l-nCDCYQogrnrrx_tpjYtzO2DY1naIOnDEhD6MgMjAhGovZgd5CN1h6lRQJXmhKqz5)