Enumerating Web :
⇒ After we register and login we don’t get anything. Inspecting the cookies we see an
⇒ When we change the cookie we get the following error :
⇒ Researching for a while we come to
Padding Oracle Attack.
The padding oracle attack enables an attacker to decrypt encrypted data without knowledge of the encryption key and used cipher by sending skillfully manipulated ciphertexts to the padding oracle and observing of the results returned by it.
⇒ We will be using padbuster an automated script for performing Padding Oracle attacks.
padbuster [http://10.10.10.18/index.php](http://10.10.10.18/index.php) ZVrX75FDWtDjgwNByepfkxAvql%2FGQmhR 8 --cookies auth=ZVrX75FDWtDjgwNByepfkxAvql%2FGQmhR --encoding 0 -plaintext user=admin
→ We got admin cookie.
⇒ We used editthiscookie extension and just replaced our cookie with the admin cookie :
→ We got user mitsos ssh key :
⇒ SSH’ed in as user mitsos using the ssh key :
Privilege Escalation to root
⇒ In user home directory there’s an
backup binary which is ran as root when we run it.
⇒ After running strings on the binary we see that it does
cat /etc/shadow . Full path to cat isn’t specified so we can perform path hijacking and escalate our privileges
echo '/bin/sh' > cat
chmod +x cat