From the quick nmap scan I saw that two ports were open
SSH and http
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-50.png)
By browsing into the port 80, I get to know that litecart is during
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-51.png)
by running gobuster I found /backup directory
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-52.png)
From there I got a tar file. I downloaded it my local machine
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-53.png)
From the file at shop/admin/login.php from the tar file I got a new location to browse for
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-54.png)
on browsing i got admin password
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-55.png)
username : admin
password: theNextGenSt0r3!~
By logging in with the above credential at /shop/admin I was able to confirm the version of litecart
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-56.png)
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-57.png)
https://www.exploit-db.com/exploits/45267
This exploit will not work directly. I did some edits to the file
and along with php bypass file I was able to get RCE
I got the byepass code from below exploit
https://www.exploit-db.com/exploits/47462
python LiteCart.py -p 'theNextGenSt0r3!~' -u admin -t http://10.10.10.207/shop/admin/
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-58.png)
I got RCE on browser
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-59.png)
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-60.png)
I found that mysql is there as user
on running
http://10.10.10.207/shop/vqmod/xml/mybypass.php?c=mysql -u root -pchangethis -e "select exec_cmd('whoami')"
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-61.png)
I generated a key pair on my local machine
http://10.10.10.207/shop/vqmod/xml/mybypass.php?c=mysql -u root -pchangethis -e "select exec_cmd(echo *publick key*
> /var/lib/mysql/.ssh/authorized_keys')"
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-62.png)
I have changed the key of mysql user with key I have generated
Now I should be able to SSH into the system as mysql user
After loggin in and a enumerating the files I got a intresting output
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-63.png)
Password = 3*NLJE32I$Fe
I tried to ssh as sysadmin using the password
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-64.png)
With the clue I got I searched for file which was recently modified i found /lib/x86_64-linux-gnu/security/.pam_unix.so
I downloaded the file
scp [email protected]:/lib/x86_64-linux-gnu/security/pam_unix.so ./pam.so
I opened it using gihdra
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-65.png)
I started a new project
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-66.png)
After that I just dragged the .so file onto the application
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-67.png)
from opening the authenticate file
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-68.png)
This is equivalent to zlke~U3Env82m2-
![](https://ehackify.com/blog/wp-content/uploads/2020/09/image-69.png)
Leave a Reply