Compromised Writeup – Hack The Box

From the quick nmap scan I saw that two ports were open

SSH and http

By browsing into the port 80, I get to know that litecart is during

by running gobuster I found /backup directory

From there I got a tar file. I downloaded it my local machine

From the file at shop/admin/login.php from the tar file I got a new location to browse for

on browsing i got admin password

username : admin

password: theNextGenSt0r3!~

By logging in with the above credential at /shop/admin I was able to confirm the version of litecart

This exploit will not work directly. I did some edits to the file

and along with php bypass file I was able to get RCE

I got the byepass code from below exploit

python -p 'theNextGenSt0r3!~' -u admin -t

I got RCE on browser

I found that mysql is there as user

on running -u root -pchangethis -e "select exec_cmd('whoami')"

I generated a key pair on my local machine -u root -pchangethis -e "select exec_cmd(echo *publick key*
 >  /var/lib/mysql/.ssh/authorized_keys')"

I have changed the key of mysql user with key I have generated

Now I should be able to SSH into the system as mysql user

After loggin in and a enumerating the files I got a intresting output

Password = 3*NLJE32I$Fe

I tried to ssh as sysadmin using the password

With the clue I got I searched for file which was recently modified i found /lib/x86_64-linux-gnu/security/

I downloaded the file

scp [email protected]:/lib/x86_64-linux-gnu/security/ ./

I opened it using gihdra

I started a new project

After that I just dragged the .so file onto the application

from opening the authenticate file

This is equivalent to zlke~U3Env82m2-