Compromised Writeup – Hack The Box

From the quick nmap scan I saw that two ports were open

SSH and http

By browsing into the port 80, I get to know that litecart is during

by running gobuster I found /backup directory

From there I got a tar file. I downloaded it my local machine

From the file at shop/admin/login.php from the tar file I got a new location to browse for

on browsing i got admin password

username : admin

password: theNextGenSt0r3!~

By logging in with the above credential at /shop/admin I was able to confirm the version of litecart

https://www.exploit-db.com/exploits/45267

This exploit will not work directly. I did some edits to the file

and along with php bypass file I was able to get RCE

I got the byepass code from below exploit

https://www.exploit-db.com/exploits/47462

python LiteCart.py -p 'theNextGenSt0r3!~' -u admin -t http://10.10.10.207/shop/admin/

I got RCE on browser

I found that mysql is there as user

on running

http://10.10.10.207/shop/vqmod/xml/mybypass.php?c=mysql -u root -pchangethis -e "select exec_cmd('whoami')"

I generated a key pair on my local machine

http://10.10.10.207/shop/vqmod/xml/mybypass.php?c=mysql -u root -pchangethis -e "select exec_cmd(echo *publick key*
 >  /var/lib/mysql/.ssh/authorized_keys')"

I have changed the key of mysql user with key I have generated

Now I should be able to SSH into the system as mysql user

After loggin in and a enumerating the files I got a intresting output

Password = 3*NLJE32I$Fe

I tried to ssh as sysadmin using the password

With the clue I got I searched for file which was recently modified i found /lib/x86_64-linux-gnu/security/.pam_unix.so

I downloaded the file

scp sysadmin@10.10.10.207:/lib/x86_64-linux-gnu/security/pam_unix.so ./pam.so

I opened it using gihdra

https://ghidra-sre.org/

I started a new project

After that I just dragged the .so file onto the application

from opening the authenticate file

This is equivalent to zlke~U3Env82m2-