80, 443, 8080

80

Unresponsive.

8080

I was able to create an account and log in. We have the ability to upload files of any type but doesn't show the uploads directory. Source code doesn't reveal much.

We can access the files uploaded.

Upload part was tricky. It would not take .php files but will take any arbitrary extension which means there is a blacklist instead of a whitelist. After trying multiple extensions .phps and .phar worked. Interestingly I get 403 Forbidden when opening the .phps but not the .phar!

We get code execution by uploading .phar files. I tried uploading the simple php shell but it won't give us any output. If I try the pentestmonkeys reverse shell I do get a connection back but it closes without a shell.

Learned it from ippsec, if we do phpinfo() instead of system(), we can leak the phpmyinfo page.

That shows the functions that are disabled, which makes sense why the reverse shell was not working and giving me this error:

Bypass disable_functions

When uploading the .phar file again I put this code:

After opening the link to this .phar file we get the following output:

This feels similar to utilizing GTFObins. Here we find the functions that ARE dangerous but not disabled. So now we wanna choose one of the functions that can give us code execution.

Turns out popen() function can do command execution. This post explains how its done. We can open a binary and add its arguments inside popen() function

I can run a bash command here to get reverse shell but a nice way is to use p0wny-shell. And we get a shell as www-data.

And from there we can run

I had to do a reverse shell because our uploaded php shell gets removed after some time.

443

Another login page to hospital webmail. It runs RoundCude

Credentialed - drwilliams

This pair of credentials worked to get us inside the dashboard. drwiilliams:qwe123!@#

It talks about esp scripts and GhostScripts. Now onto privesc.