MedJed – Proving Grounds Walkthrough
MedJed is rated as “Hard” by the Offensive Security community. I personally found the box a little bit frustrating as there was a lot of guesswork that was done, especially in the early stages of the box. Nevertheless, it’s always fun to eventually figure it out and notch up another machine.
We start with nmap;
sudo nmap -sC -p- 192.168.247.127 -oA nmap/full
We have SQL on port 3306 which we cannot log into, a bunch of RPC ports, and some HTTP servers on port 33033, 45332, 45443. Let’s try logging into the FTP server, which is located on port 30021. It was hanging a lot for me.
I used Filezilla and was able to browse the files. There are some config files there but I couldn’t find anything of note and we cannot write to the directories.
We enumerate the websites. There is nothing there, but always great to look for interesting information on the phpinfo.php pages, as this can reveal web server details and possible paths to exploit.
Jump over to the webserver, starting with 33033. Looks like some kind of CMS, but our attention is drawn to the cat.
There is also a Login and passpassword reset button
After spending what felt like forever, we managed to reset the password for account “jerren.devops” with the following. I tried all the profiles with words listed on the page for the “reminder” section. Importantly, during this time, we had started GoBuster on the other ports in case this didn’t work out. I very nearly gave up here. Like a lot of people, I think I got lucky, which is why I don’t really like the box. Perseverance counts.
From there we go into the profile;
And then Edit;
We get a big hint in regards to the SLUG request, which looks like querying a MySQL database. Let’s test to see if it’s vulnerable to SQL injection by inputting a single quotation mark.
Looks like this is vulnerable to SQLi, and the vulnerable query is also revealed;
We should be able to write a basic php shell to this machine and run commands on it from our Kali machine.
We enter the following into the SLUG request field. We can enumerate the base install path for Xampp via the phpinfo page we saw before.
' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/command.php' -- -'
When we hit Request we don’t get an error on our page and note that the URL has changed. We can attempt to run some commands using our new shell by using curl.
Awesome! Let’s try to upload a proper reverse shell onto the box and execute it. I create a reverse shell using msfvenom. I am going to use the certutil command on my php shell to call back to my Kali box, but we will need to URL encode the command to account for the spaces and characters in the link.
Paste the certutil command onto the end of our php shell. Make sure you HTTP server is up and running on your Kali machine.
Setup our netcat listener and execute the shell by once again amending the command to run the reverse shell.
And we get our shell back!
Running WinPeas on the machine we find an entry noting we have write privileges to a file that is part of the BarracudaDrive service. This means we can overwrite this file, and restart the service/machine and potentially escalate privileges.
We can double-check the privileges using icacls.
We can use the same reverse shell we uploaded via our basic php shell, and use it to simply overwrite the vulnerable bd.exe. Use the following command.
We then issue the restart command and restart our netcat listener.
We wait a minute for the machine to restart…and we get our shell back as SYSTEM.