βοΈDreaming
While the king of dreams was imprisoned, his home fell into ruins. Can you help Sandman restore his kingdom?
IP
10.10.41.39Enumeration
Nmap reveals that we are working with a Linux machine with and HTTP server listening on port 80, with a default Apache page
Enumerating directories with gobuster we find a /app
Inside we find a directory listing that leads to Pluck CMS
We have a simple page with the title Dreaming
If we click on admin we get a login page
The password is very simple, its literally password
Now we are in the Admin panel
In the pages section we can upload .phar files
Phar is a PHP package format, so we can upload a simple PHP shell and get a callback
Privilege Escalation
In the /opt directory we find two Python scripts
test.py is owned by lucien and has credentials that we can use to login with SSH
In the .bash_historyfile we can find credentials for the MySQL instance installed
Enumerating the databases we find a library db
Inside the dreams table we find two columns dreamer and dream
Running sudo -l as the lucien user we can see that is capable of running getDreams.py as the user death
This script connects to the MySQL db and echoes all the contents of the table, but it's doing it using the echo bash command, we can add a value to the MySQL table that concatenates two commands together, very similar to a Web command injection
After running the script the output hangs and we get a shell back
Now to escalate to the morpheus user we find a script in the user's home directory that does a backup of a file
I guessed that this script runs in a cronjob or when a user logs in
We can modify the content of the shutil library and add a Python reverse shell
And we get a shell back
Last updated