Overview
This medium-difficulty box demonstrates SQL injection to access an admin panel, uploading a reverse shell for initial access, and privilege escalation through ClamAV custom YARA rules.
Reconnaissance
Initial nmap scan reveals SSH on port 22 and HTTP on port 80:
nmap -v -sV -sC -oA nmap lockdown.thmKey findings:
- SSH: OpenSSH 7.6p1
- HTTP: Apache 2.4.29 running a "Coronavirus Contact Tracer" application
SQL Injection & Admin Access
The application presents an admin login panel. Standard SQL injection payloads work:
Username: ' or 1=1 -- -
Password: (anything)This bypasses authentication and grants access to the admin panel.
Web Shell Upload
Within the admin panel at /admin/?page=system_info, there's an unrestricted file upload for a logo image. Uploading a PHP reverse shell provides code execution. The shell executes when logging out and visiting the main site, which loads the logo.
User Enumeration
Examining /var/www/html/config.php leads to /classes/DBConnection.php, which contains database credentials:
User: cts
Database: cts_dbAccessing the MySQL database and querying the users table reveals an MD5 password hash. After cracking it:
cyrus : [cracked_password]SSH access is established by importing an SSH key to the user's authorized_keys.
Privilege Escalation
The user can execute scan.sh as root via sudo. The script uses ClamAV's clamscan utility. ClamAV supports custom YARA rules stored in /var/lib/clamav, which is writable by the user.
A custom YARA rule is created to match arbitrary strings and quarantine files:
rule test {
strings:
$show = "root"
condition:
$show
}Running the root-level scan against /etc/shadow copies the file to a readable quarantine directory. The extracted hash for user maxine is cracked:
maxine : [cracked_password]The maxine user has unrestricted sudo privileges, allowing immediate root access:
sudo suRoot access achieved.